What is Rapid Threat Model Prototyping?

Summary:

In this episode, we sit down with Geoff Hill from Tutamantic_Sec to explore the innovative approach of Rapid Threat Model Prototyping (RTMP). Geoff shares his journey from being a C++ developer to becoming a threat modeling expert, highlighting the challenges and successes he encountered along the way. This episode dives deep into how RTMP can help streamline threat modeling processes, making them more efficient and scalable.

Key Discussion Points:

  1. Introduction to RTMP:

    • Geoff explains the origins and the need for a new threat modeling approach.

    • Discussion on traditional threat modeling challenges and how RTMP addresses them.

  2. Implementation and Benefits:

    • Detailed walkthrough of RTMP’s implementation in various organizations.

    • How RTMP integrates with existing development workflows like Agile and DevOps.

    • Benefits of using RTMP, including reduced workload on security teams and improved security posture.

  3. RTMP Methodology:

    • Explanation of the stages and numerical ranking system in RTMP.

    • How RTMP utilizes open-source frameworks and tools.

    • The role of security champions within development teams.

  4. Practical Applications and Case Studies:

    • Real-world examples of RTMP in action.

    • Success stories and lessons learned from implementing RTMP in different industries.

  5. Future of Threat Modeling:

    • Geoff’s insights on the evolution of threat modeling.

    • Upcoming trends and the importance of being proactive in security.

Resources Mentioned:

Connect with Geoff Hill:

  • Twitter: @Tutamantic_Sec

  • LinkedIn: Geoff Hill

Contact Information:

Leave a comment below or reach out via the contact form on the site, email [timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn]


What is FAIR (Factor Analysis of Information Risk)?

Summary:

In this insightful episode, Timothy De Block sits down with Jack Jones, the creator of the Factor Analysis of Information Risk (FAIR) model. Jack shares his journey and the challenges he faced that led to the creation of FAIR, a groundbreaking framework for understanding and quantifying information risk.

Episode Highlights:

Introduction to FAIR:

  • FAIR stands for Factor Analysis of Information Risk.

  • It is a logical decomposition of the factors that drive how much loss exposure a scenario represents.

Jack's Catalyst for Creating FAIR:

  • The need for a quantifiable measurement of risk during his tenure as a CISO at Nationwide Insurance.

  • The pivotal moment when an executive asked him to quantify the organization's risk exposure.

Understanding Quantitative vs. Qualitative Risk:

  • Quantitative risk involves using units of measurement like percentages and dollar amounts.

  • Qualitative risk is ordinal and involves categories like high, medium, and low without precise measurement units.

Applying FAIR in Organizations:

  • The process of using FAIR starts with understanding the decision you need to support, scoping the scenario, identifying assets, threats, and controls, and using ranges to estimate frequency and impact.

  • FAIR helps in prioritizing risks and determining the ROI on security investments.

Challenges and Solutions in Using FAIR:

  • Common challenges include the perception that perfect data is needed, the skills gap, and the complexity of scaling quantitative analysis.

  • Leveraging community resources, training, and new automated solutions from vendors can help overcome these challenges.

Resources and Training:

  • The FAIR Institute offers free membership and extensive resources.

  • The Open Group provides professional certification and training materials.

  • The book "Measuring and Managing Information Risk: A FAIR Approach" is a recommended read.

Key Quotes:

  • "FAIR is about critically thinking about risk. The quantitative measurement is a bonus, but it's really a framework for thinking more clearly about the scenarios we need to manage against." - Jack Jones

  • "Protecting applications from session hijacking involves understanding the application's handling of temporary credentials and implementing robust security measures." - Jack Jones

Recommended Resources:

Contact Information:

Leave a comment below or reach out via the contact form on the site, email [timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn]


What is the OWASP Threat Dragon?

In this fire-breathing edition of the Exploring Information Security podcast, I talk to Mike Goodwin the project lead of the OWASP Threat Dragon.

Mike (@theblacklabguy) joins me to discuss his OWASP project Threat Dragon. The project is meant to give developers an easy use tool for performing threat modeling. The project is built on NodeJS and AngularJS. It has a slick easy-to-use interface and Github integration. His roadmap for the project include Bitbucket integration and a rule engine that will help with threat modeling.

In this episode we discuss:

  • What is threat modeling?
  • What led to the idea of Threat Dragon?
  • How does someone get started with the tool?
  • What's the effort on a project like this? (mike[dot]goodwing[at]owasp[dot]org to help)

More resources:

What is threat modeling?

Originally posted August 13, 2014.

In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.

Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. 

In this interview Wolfgang covers:

  • What is threat modeling?
  • What needs to be done to threat model
  • Who should perform the threat modeling
  • Resources that can be used to build an effective threat model
  • The life cycle of a threat model