Threat Modeling Stories from the Trenches - Security Design Flaws and Solutions

Explore real-world threat modeling scenarios and learn from practical experiences in this conference talk. Delve into the fundamentals of threat modeling, design flaws, and security controls. Examine case studies on integration challenges, step-up authentication vulnerabilities, and password storage issues. Discover how developers address security concerns and analyze the implications of production web farms using session databases. Investigate one-time password implementations, multi-factor authentication for remote access, and load balancing server side-effects. Assess secure connection vulnerabilities and potential attack vectors on systems and datacenters. Evaluate asset identification in gaming contexts and strategies for exploiting leaderboard systems. Gain valuable insights to enhance your threat modeling skills and improve overall security practices.

Intro
What is Threat Modelling?
What is a Design Flaw?
Who Sent the Message?
In Theory: Good Security Controls
In Practice: Design Flaws in Integration
Mind the Gap: Stepping Over the Step-Up
Step-up Authentication
Attacking Step-up
Secure Password Storage with Insecure Side Effects
Developers Come to the Rescue
Production Web Farm Using Session DB
One-Time Passwords in Parallel Universes
Multi-factor Authentication for Remote Access
Side-effect of Load Balancing Servers
Secure Connection or Open Door?
Attacking the System
Attack the Datacentre
What is an Asset?
Gaming: Is Userld an Asset?
How Can Bob Climb the Leaderboard?
Summary