Threat modeling is often approached from a large-scale perspective – what could attackers do to a whole organization? How could they get in? That approach involves algorithms and comprehensive perimeter scans, and it requires a team to accomplish it all within a reasonable timeframe.
But sometimes in pen testing, it’s just you versus an application. In those situations, you don’t have the luxury of being a human scanner, applying every payload to every input to see what sticks. You aren’t working at the same scale as a full perimeter model, and you don’t need to.
Lucky for you, threat modeling can be approached from a more functional side – instead of trying to capture every possible attack vector that might exist in every application to build your methodology, you can take a step back and think about the central actions of an application – Does it handle financial transactions? Does it store personal information? Is it closely linked to other applications with highly sensitive content?
This workshop will help you understand functional threat modeling and how to apply it to any application. Through this method, you can organize your plan of attack, confirm the focus and scope of testing with the client, and you’ll know what DONE looks like in a pen test. This strategy customizes each engagement while also giving you a repeatable methodology to return to with every new application.
Come remodel your sense of threat modeling so you can approach every pen test with confidence and a plan.