threat modeling

at
Categories
Tags

 

#Q1. You are a security analyst at an organization that runs several web applications. Your CIO is interested in using threat modeling as part of the software
development lifecycle. Provide her an overview of threat modeling and the value it would provide to your company – you need to choose between an
asset/risk-based or threat/security-based approach. As part of your overview include a detailed explanation of the appropriate threat model for your
approach (e.g., PASTA or STRIDE or another standardized methodology), which should address the different objectives the model attempts to achieve, and
provide two potential mitigations for each threat/attack scenario. [75 points]
You can make any assumptions you want about the web application, just make sure you explain them in the essay. Avoid any examples that might be in the
textbook.
#Q2. Describe an attack tree and what it is used for. Provide an example attack tree on how you would cheat on this Final exam. (Do not cheat on this exam
or test your attack tree. This is a thought exercise only). [25 points]
[Special Note for Q2: You do not need all three basic components of an essay for this response, as long as you provide a thorough/complete descriiption of
an attack tree.]

 

Sample Solution

Threat modeling is a structured process with these objectives: identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritize remediation methods. Threat modeling methods create these artifacts: an abstraction of the system; profiles of potential attackers, including their goals and methods; a catalog of threats that could arise.Done right, threat modeling provides a clear “line of sight” across a project that justifies security efforts. The threat model allows security decisions to be made rationally, with all the information on the table. The threat modeling process naturally produces an assurance argument that can be used to explain and defend the security of an application. An assurance argument starts with a few high level claims, and justifies them with either subclaims or evidence.

regards to the osmosis of pieces into lumps. Mill operator recognizes pieces and lumps of data, the differentiation being that a piece is comprised of various pieces of data. It is fascinating regards to the osmosis of pieces into lumps. Mill operator recognizes pieces and lumps of data, the differentiation being that a piece is comprised of various pieces of data. It is fascinating to take note of that while there is a limited ability to recall lumps of data, how much pieces in every one of those lumps can change broadly (Miller, 1956). Anyway it’s anything but a straightforward instance of having the memorable option huge pieces right away, somewhat that as each piece turns out to be more natural, it very well may be acclimatized into a lump, which is then recollected itself. Recoding is the interaction by which individual pieces are ‘recoded’ and allocated to lumps. Consequently the ends that can be drawn from Miller’s unique work is that, while there is an acknowledged breaking point to the quantity of pi

This question has been answered.

Get Answer