Видео

Hmm, dunno...I'm a director and I don't make budgets by polling my employees and look at spend. I determine what I need based upon threats I have to face and the goals of my company so that route doesn't make sense to me. Attack surface narrative points made were on point.

Yep, well everywhere I went, people literally always asked me to present the differences, so this video was a manifestation of that. STRIDE is not a true methodology. It's simply a threat categorization. This has been its self-provided description since inception. You can always make anything extensible to any other frameworks. This is inherent. That doesn't the extended capability elevates the innate qualities of the mnemonic. It's USED for software centric processes, but it IS a threat categorization. All threats fall into one of six immutable buckets. Those letters relate to "threats" (in their opinion, not mine btw, as Spoofing is not a threat but an attack. The end goal is not spoofing, and no real cybercriminal will concur the end goal is "spoofing" - first letter of STRIDE). Threats have objectives in the real cybercriminal world and those objectives leverage attack patterns of which "Spoofing" is one of them but it's not in itself the objective. Yes, STRIDE is used to simplify software and architecture analysis to ask, "where can these threats take place in my software/ app model". It's not a methodology and again the extensibility of anything doesn't then make it innately adopt those attributes of that extensible ISO or NIST framework.

@@TTT-jt9zw IMHO Spoofing can be both a threat and an attack. It depends on the point of view. But still STRIDE is per se is not useless. Those 6 catagories are still valid. I would agree that STRIDE is not as extendible as PASTA but in combination with Attack Tree and a proper risk assessment you will find and assess enough threats and risks that you can say, my system is now more secure then before. The comparison betwenn PASTA and STRIDE is for me like comapring apples with pears because PASTA is much more then threat modeling alone. Comparing the TARA from ISO 21434 (HEAVENS 2.0) with PASTA would be more accurate.

@@juergenm6107 STRIDE may be a good start for students or SMBs but orgs facing serious threats and those threats are changing, I would not admit to doing threat modeling with static, immutable threat categories in today's threat landscape. Again, personal opinion, but logically with all the dynamic threats that map to a multitude of attacks, it would be remiss for product owners to not have threat intel inspired threat models. PASTA was invented by Marco and I after having used STRIDE and TRIKE for years so it is the risk centric threat modeling methodology. Anytime sites mention "methodology" STRIDE is not. I think the term methodology should be looked up b/c it's not a process for doing but simply an aid. PASTA was invented as 7 step methodology that aligns to maturity models and allows companies to build their own PASTA. GitLab is just one of many orgs that take PASTA and make their own. Their are 7 stages and 34 activities. You can make it what you want. If one is having to take STRIDE, add a framework, rope in a risk assessment, the big question is, why not just do PASTA? GitLab made a post btw on their PASTA adoption journey. about.gitlab.com/blog/2021/07/09/creating-a-threat-model-that-works-for-gitlab/

@eyeofsauron2812 Thank you for your comment. You can find out more about smishing by reading our blog: Smishing and Vishing Explained: How Phone-Based Cyber Attacks Work versprite.com/blog/smishing-and-vishing-explained/

But in simple terms, smishing is social engineering over SMS or text based messages. Often times, this may or may not include links or numbers to call. It can sometimes be simply text with nothing to click on but serve as a "pre-text" for something later the attacker, threat actor, or social engineering artist would like you to do.

Technically, phishing and smishing is near the same thing, other than how they operate.

Okay, thanks guys

Yes, similar threat motive, but different attack vector (email vs. sms text). Threat motive yes is the same; dupe target to get them to do an action (e.g. - call a number (malicious VRU device), visit malicious website, provide personal info, etc.) or something in the interest of the attacker. Attacker is @@benouzgane1929

Glad it was helpful!

Hello Sunday, thank you for reaching out. We have a lot of helpful threat modeling resources on our website. For example here is a RACI Diagram that shows the roll distrubition during each step of the threat model. versprite.com/blog/application-security/threat-modeling/versprite-pasta-threat-modeling-raci-diagram/

Here is a link to the PASTA threat modeling ebook for reference. versprite.com/ebooks/leveraging-risk-centric-threat-models-for-integrated-risk-management/

Thank you so much for stopping by! For more resources, check out our website -> versprite.com/security-resources/

ቅያ_Tube, thank you for watching. Here is a link to the PASTA ebook for reference. versprite.com/ebooks/leveraging-risk-centric-threat-models-for-integrated-risk-management/ Please feel free to use PASTA in your organizational threat modeling. If you need further assistance or just want to chat please feel free to contact us anytime. versprite.com/contact/

No. I am not a genius on this topic. But as far as I know, people are saying it's a new kernel from scratch. Recently, Google changed some code on kernel to take notes from Linux kernel. The project is called startnix or something.

its forked from the TempleOS kernel

@@ravitejaknts no it is a fork of lk(little kernel)

@@kerbatonbaton8108 based

TempleOS kernel ✝

Hi S Naz, would love to discuss this in further detail. Please provide me with your email address, or simply go to our contact page and fill out the form (versprite.com/contact/). Looking forward to connecting with you.

need some help regarding Threat modeling

Hi@@afrahfathima8866would love to connect and help you with your Threat Model. Please provide your email address, or simply go to our contact page and fill out the form (versprite.com/contact/). Looking forward to helping you. ​

Yes, DFD is one of the most important steps in Stage 3 PASTA threat modeling. The processing of DFD information will help you better understand the inputs, the outputs, and the many actions in between. We also have a blog on our website that does a deeper dive into PASTA. Feel free to skip to stage 3 for more info on DFD: versprite.com/blog/what-is-pasta-threat-modeling/

You can use PASTA to do an org threat model vs. an app threat model and process decomposition is stage 3 of org threat modeling. You can determine if the workflow around software development bears any weaknesses that could be altered by a threat actor to any entity executing on those workflows. Helpful when trying to take that PFD (Process Flow Diagram) to see where abuse cases could be unleashed to affect code quality, code integrity, affect downstream build processes and more.

Why?

Hi Shadara! Thank you for your comment. Our Staffing Practice Manager has a video that might help you in your job search and interview prep here: ruclips.net/video/bsNb8DFU3YQ/видео.html. Good luck with your interview! And if you need more places to apply, don't forget to check out our careers page here: boards.greenhouse.io/versprite.

Did you ever doubt him?

Thank you.