Skip to main content
logo personnalisé
Action-Oriented Threat Modeling with ThreatPlaybook
Threat Modeling is a critical activity for product engineering teams. In the rare event that it is conducted, no actionable outputs emerge from the exercise and thereby, the activity relegated to the status of a "Policy/Best Practice Document". We believe that threat models are playbooks of product security engineering and thus, we feel that the best way to conduct it is by integrating it into the Software Development Lifecycle (SDL). It is our belief that Threat Models should produce actionable outputs that can be acted upon by various teams within the organization.

To address this lacuna, we have developed “ThreatPlaybook" - an open source "Threat Modeling as Code" framework, that allows product teams to capture user stories, abuser stories, threat models and security test cases in YAML Files (like Ansible). With the help of test automation frameworks (in this case, Robot Framework), ThreatPlaybook allows product engineering teams and pentesting teams to not only capture Threat Models as code but also trigger specific security test cases with tools like OWASP ZAP, BurpSuite, WFuzz, Sublist3r, Nmap and so on. The benefits are as below:

1) For teams to use Threat Modeling as a first-class citizen(with code). Facilitating iterative and updated threat models and security test cases, as the product evolves (not a stationary document)

2) For threat modeling to become actionable. Product teams can use this framework to compose "Recipes", where user stories (functionality) leads to abuser stories (threat profiles) which lead to threat models (scenarios), that are used to create security test cases (which kick off certain tools) based on the recipes written for the test cases

3) This approach leads to a convergence of threat modeling and security testing, allowing teams to improve both security testing and threat modeling based on results produced through this framework
Le webinaire est terminé, vous ne pouvez plus vous inscrire. Si vous avez des questions, veuillez prendre contact avec l’animateur du webinaire : Rahul Raghavan.