Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Threat Modeling Gameplay with EoP
  • Table Of Contents Toc
  • Feedback & Rating feedback
Threat Modeling Gameplay with EoP

Threat Modeling Gameplay with EoP

By : Brett Crawley
4.9 (7)
Buy this Book
close
close
Threat Modeling Gameplay with EoP

Threat Modeling Gameplay with EoP

4.9 (7)
By: Brett Crawley
Buy this Book

Overview of this book

Are you looking to navigate security risks, but want to make your learning experience fun? Here's a comprehensive guide that introduces the concept of play to protect, helping you discover the threats that could affect your software design via gameplay. Each chapter in this book covers a suit in the Elevation of Privilege (EoP) card deck (a threat category), providing example threats, references, and suggested mitigations for each card. You’ll explore the methodology for threat modeling—Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of Privilege (S.T.R.I.D.E.) with Privacy deck and the T.R.I.M. extension pack. T.R.I.M. is a framework for privacy that stands for Transfer, Retention/Removal, Inference, and Minimization. Throughout the book, you’ll learn the meanings of these terms and how they should be applied. From spotting vulnerabilities to implementing practical solutions, the chapters provide actionable strategies for fortifying the security of software systems. By the end of this book, you will be able to recognize threats, understand privacy regulations, access references for further exploration, and get familiarized with techniques to protect against these threats and minimize risks.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
Free Chapter
1
Chapter 1: Game Play
chevron up
Icon
Chapter 1: Game Play
Icon
What you’ll need to play the EoP game
Icon
Who should participate?
Icon
How to play EoP
Icon
Summary
2
Chapter 2: Spoofing
Icon
Chapter 2: Spoofing
Icon
2. of Spoofing
Icon
3. of Spoofing
Icon
4. of Spoofing
Icon
5. of Spoofing
Icon
6. of Spoofing
Icon
7. of Spoofing I
Icon
7. of Spoofing II
Icon
8. of Spoofing
Icon
9. of Spoofing I
Icon
9. of Spoofing II
Icon
10. of Spoofing
Icon
Jack of Spoofing
Icon
Queen of Spoofing I
Icon
Queen of Spoofing II
Icon
King of Spoofing I
Icon
King of Spoofing II
Icon
Ace of Spoofing I
Icon
Ace of Spoofing II
Icon
Ace of Spoofing III
Icon
Ace of Spoofing IV
Icon
E. of Spoofing
Icon
Summary
Icon
References
3
Chapter 3: Tampering
Icon
Chapter 3: Tampering
Icon
2. of Tampering (2022 deck) I
Icon
2. of Tampering (2022 deck) II
Icon
2. of Tampering (2022 deck) III
Icon
2. of Tampering (2022 deck) IV
Icon
3. of Tampering
Icon
4. of Tampering I
Icon
4. of Tampering II
Icon
5. of Tampering I
Icon
5. of Tampering II
Icon
6. of Tampering
Icon
7. of Tampering I
Icon
7. of Tampering II
Icon
8. of Tampering
Icon
9. of Tampering I
Icon
9. of Tampering II
Icon
10. of Tampering I
Icon
10. of Tampering II
Icon
Jack of Tampering
Icon
Queen of Tampering
Icon
King of Tampering I
Icon
King of Tampering II
Icon
Ace of Tampering I
Icon
Ace of Tampering II
Icon
E of Tampering I
Icon
E of Tampering II
Icon
Summary
4
Chapter 4: Repudiation
Icon
Chapter 4: Repudiation
Icon
The importance of repudiation and its role in security
Icon
2. of Repudiation
Icon
3. of Repudiation
Icon
4. of Repudiation
Icon
5. of Repudiation
Icon
6. of Repudiation I
Icon
6. of Repudiation II
Icon
7. of Repudiation
Icon
8. of Repudiation
Icon
9. of Repudiation
Icon
10. of Repudiation
Icon
Jack of Repudiation
Icon
Queen of Repudiation I
Icon
Queen of Repudiation II
Icon
King of Repudiation I
Icon
King of Repudiation II
Icon
King of Repudiation III
Icon
Ace of Repudiation
Icon
E. of Repudiation
Icon
F. of Repudiation
Icon
G. of Repudiation
Icon
H. of Repudiation I
Icon
H. of Repudiation II
Icon
Summary
5
Chapter 5: Information Disclosure
Icon
Chapter 5: Information Disclosure
Icon
Understanding password management, key management, and cryptography
Icon
2. of Information Disclosure
Icon
3. of Information Disclosure I
Icon
3. of Information Disclosure II
Icon
4. of Information Disclosure
Icon
5. of Information Disclosure
Icon
6. of Information Disclosure
Icon
7. of Information Disclosure
Icon
8. of Information Disclosure I
Icon
8. of Information Disclosure II
Icon
9. of Information Disclosure I
Icon
9. of Information Disclosure II
Icon
10. of Information Disclosure
Icon
Jack of Information Disclosure
Icon
Queen of Information Disclosure
Icon
King of Information Disclosure
Icon
Ace of Information Disclosure I
Icon
Ace of Information Disclosure II
Icon
E of Information Disclosure
Icon
F of Information Disclosure
Icon
Summary
6
Chapter 6: Denial of Service
Icon
Chapter 6: Denial of Service
Icon
2. of Denial of Service I
Icon
2. of Denial of Service II
Icon
3. of Denial of Service I
Icon
3. of Denial of Service II
Icon
3. of Denial of Service (alternative 2022 deck)
Icon
4. of Denial of Service
Icon
4. of Denial of Service (alternative 2022 deck)
Icon
5. of Denial of Service I
Icon
5. of Denial of Service II
Icon
5. of Denial of Service (alternative 2022 deck)
Icon
6. of Denial of Service I
Icon
6. of Denial of Service II
Icon
7. of Denial of Service
Icon
8. of Denial of Service
Icon
9. of Denial of Service
Icon
10. of Denial of Service
Icon
Jack of Denial of Service I
Icon
Jack of Denial of Service II
Icon
Queen of Denial of Service I
Icon
Queen of Denial of Service II
Icon
King of Denial of Service
Icon
Ace of Denial of Service
Icon
E of Denial of Service
Icon
Summary
7
Chapter 7: Elevation of Privilege
Icon
Chapter 7: Elevation of Privilege
Icon
Some important concepts
Icon
2. of Elevation of Privilege (2022 deck)
Icon
3. of Elevation of Privilege (2022 deck) I
Icon
3. of Elevation of Privilege (2022 deck) II
Icon
4. of Elevation of Privilege (2022 deck)
Icon
5. of Elevation of Privilege I
Icon
5. of Elevation of Privilege II
Icon
6. of Elevation of Privilege
Icon
7. of Elevation of Privilege
Icon
8. of Elevation of Privilege
Icon
9. of Elevation of Privilege
Icon
10. of Elevation of Privilege
Icon
Jack of Elevation of Privilege
Icon
Queen of Elevation of Privilege I
Icon
Queen of Elevation of Privilege II
Icon
King of Elevation of Privilege I
Icon
King of Elevation of Privilege II
Icon
Ace of Elevation of Privilege
Icon
Summary
8
Chapter 8: Privacy
Icon
Chapter 8: Privacy
Icon
References used in the chapter
Icon
2 of Privacy
Icon
3 of Privacy
Icon
4. of Privacy
Icon
5. of Privacy
Icon
6. of Privacy
Icon
7. of Privacy
Icon
8. of Privacy
Icon
9. of Privacy
Icon
10. of Privacy
Icon
Jack of Privacy
Icon
Queen of Privacy
Icon
King of Privacy
Icon
Ace of Privacy
Icon
Summary
9
Chapter 9: Transfer
Icon
Chapter 9: Transfer
Icon
References used in the chapter
Icon
2. of Transfer I
Icon
2. of Transfer II
Icon
3. of Transfer
Icon
4. of Transfer
Icon
5. of Transfer
Icon
6. of Transfer
Icon
7. of Transfer
Icon
8. of Transfer I
Icon
8. of Transfer II
Icon
8. of Transfer III
Icon
9. of Transfer
Icon
Ace of Transfer
Icon
Summary
10
Chapter 10: Retention/Removal
Icon
Chapter 10: Retention/Removal
Icon
2. of Retention/Removal
Icon
3. of Retention/Removal I
Icon
3. of Retention/Removal II
Icon
4. of Retention/Removal
Icon
5. of Retention/Removal
Icon
6. of Retention/Removal
Icon
7. of Retention/Removal
Icon
8. of Retention/Removal
Icon
9. of Retention/Removal
Icon
10. of Retention/Removal
Icon
Jack of Retention/Removal
Icon
Ace of Retention/Removal
Icon
Summary
11
Chapter 11: Inference
Icon
Chapter 11: Inference
Icon
2. of Inference
Icon
3. of Inference
Icon
4. of Inference
Icon
5. of Inference
Icon
6. of Inference
Icon
7. of Inference
Icon
8. of Inference
Icon
9. of Inference
Icon
10. of Inference
Icon
Ace of Inference
Icon
Summary
12
Chapter 12: Minimization
Icon
Chapter 12: Minimization
Icon
2. of minimization
Icon
3. of minimization
Icon
4. of minimization
Icon
5. of minimization
Icon
6. of minimization
Icon
Ace of minimization
Icon
Summary
13
Glossary
Icon
Glossary
14
Further Reading
Icon
Books and papers
Icon
Games
15
Licenses for third party content
Icon
CAPEC:
Icon
CWE:
16
Index
Icon
Index
Icon
Why subscribe?
17
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book

What you’ll need to play the EoP game

To get started, you’re going to need a couple of things, depending on how you intend to play the game. Firstly, you are going to need a detailed architecture diagram showing the data flows and preferably the trust boundaries.

Figure 1.1: Diagram showing data flows and trust boundaries

Figure 1.1: Diagram showing data flows and trust boundaries

What are the trust boundaries? They are the boundaries where data passes from one level of trust to another, for example, user input, which is untrusted data and data that has then been sanitized (had any invalid characters or commands removed), or data coming from the internet through the firewall and onto your network. In both cases, the second example is something you should be more willing to trust.

If you’re going to be playing remotely, read the next section.

Having the cards either digitally or physically is going to be a help, so reading the section entitled The cards will point you to where you can download them digitally or purchase them online.

Remote threat modeling

If you’re doing remote threat modeling exercises and you have a Miro account, you might find my Threat Modeling with EoP Miro template handy: https://miro.com/miroverse/threat-modeling-with-eop/.

The board contains instructions on how to get set up and a working example showing how the Miro board was intended to be used.

To deal with the cards for the remote exercise, Agile Stationery has kindly created a card-dealing web application:

https://croupier.agilestationery.co.uk/

Here, you can download TNG Technology Consulting GmbH’s online multiplayer version of the threat modeling card games that you can host on-premises, such as EoP, OWASP Cornucopia, and Cumulus:

https://github.com/tng/elevation-of-privilege

The cards

The following resources are where you can get your hands on a copy of the EoP cards or those of one of its extensions required to play the game, either virtually or physically:

Alternative games

Two other threat modeling games that are quite similar to EoP in how you use them are Cornucopia from OWASP and Cumulus from TNG Technology. Many of the examples from this book will be applicable to cards in these games. Cornucopia is specifically designed for e-commerce applications and there are more threat categories, however, it doesn’t map directly to STRIDE (which stands for the following threat categories: spoofing, tampering, repudiation, information disclosure, and EoP) if you have chosen to use this methodology. Cumulus, as the name suggests, is aimed at threat modeling cloud solutions. You can download these two games at the following links:

Now that we have the resources we need to play the game, let’s see who you should invite to play this game

End of Section 2
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY