Zero Trust Threat Modeling
ฝัง
- เผยแพร่เมื่อ 22 ม.ค. 2024
- Slides: static.sched.c...
Zero trust is all the rage. Nevertheless, zero trust has vast implications for application security and threat modeling. Zero trust threat modeling means the death of the trust boundary. Zero trust security models assume attackers are in the environment, and data sources and flows can no longer hide. This uncovers threats never dreamed of in classic threat modeling. We'll begin by laying a foundation of zero trust against the lens of application security. What does Zero Trust architecture mean as it reaches the top of the technology stack? Zero-trust architecture brings us back to when it was all about objects and subjects. The essence of zero trust is only allowing certain subjects to access particular objects. From there, we'll apply the concept of zero trust to threat modeling by understanding what changes with threat modeling in a zero-trust world and by considering a threat model of the zero-trust architecture. We'll explore using new design principles in a zero-trust threat model and introduce a mnemonic to help apply the major threats impacting zero trust to threat modeling and expose a new taxonomy of threats specific to the zero-trust application. So long live the threat model but say goodbye to the trust boundary.
Chris Romeo
Devici
CEO
Raleigh, NC
devici.com
/ edgeroute
/ securityjourney
Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.
Managed by the OWASP® Foundation
owasp.org/