Exam SC-100 topic 3 question 32 discussion

CORRECT https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats

To start the threat modeling process based on the Microsoft Cloud Adoption Framework for Azure, you should use A. the STRIDE model. STRIDE is a widely used threat modeling approach developed by Microsoft. It provides a structured way to identify and address potential security threats by focusing on six threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The DREAD model is a risk assessment model, not specifically for threat modeling, while OWASP threat modeling is more generic and not directly tied to the Microsoft Cloud Adoption Framework. Therefore, STRIDE is the recommended choice for this context.

OWASP - Open Web Application Security Project (OWASP) is a non-profit organization founded in 2001. Microsfot recommendaion: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

To start the threat modeling process using a top-down approach based on the Microsoft Cloud Adoption Framework for Azure, you should use OWASP threat modeling. This approach helps you systematically identify and address security threats by considering the entire application architecture and its components. OWASP threat modeling provides a comprehensive view of potential risks and vulnerabilities, allowing you to make informed decisions about security controls and mitigations.

It can be both A and C really according to Microsoft, scroll down to Threat Modelling section https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls

As per Cloud Adoption Framework, the answer is - OWASP threat modeling https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats

Here you will find that DevSecOps uses SDL (Security Development Lifecycle) as the security framework. https://www.microsoft.com/en-us/securityengineering/devsecops And then while researching about SDL and Threat Modeling, you'll reach to the Threats section of documentation where it explains about SDL saying "allows software architects to identify and mitigate potential security issues" (aka DevSecOps), and refers to the STRIDE Model to achieve this security framework. https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats hope this clarifies it.

https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats

https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats

Sorry typo in my previous comment . I meant DREAD is not MS model to being with its all open source

SDLC is old and devops is the new term and STRIDE model is MS own threat model while OWASP and STRIDE are not and they have different purposes. STRIDE is geared towards DEVOPS

Difference between top down vs bottom up approach in general. This will help answer the question which in this case its C https://www.simplilearn.com/top-down-approach-vs-bottom-up-approach-article

the top-down approach may be simpler because it focuses on the key factors that influence the outcome -simpler is the key word OWASP threat modeling: This method focuses on asking simple, non-technical questions to get the threat modeling process started. so i guess C

For threat modeling using a top-down approach based on the Microsoft Cloud Adoption Framework for Azure, starting with the STRIDE model would be the most appropriate. The STRIDE model helps identify and categorize potential threats in six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of Privileges. This model aligns well with the comprehensive and structured approach advocated by the Microsoft Cloud Adoption Framework, as it provides a systematic way to identify potential security threats in cloud environments. While the DREAD model and OWASP Threat Modeling are also valuable, they serve slightly different purposes. The DREAD model is more focused on assessing the risk level of identified threats, and OWASP provides a broader set of guidelines and tools for web application security, which may not be as directly aligned with the top-down approach of the Microsoft Cloud Adoption Framework.

Ansver: C https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started

C is the answer as Microsoft said https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#threat-modeling-start-simple

A is the answer. https://learn.microsoft.com/en-us/azure/security/develop/secure-design#use-threat-modeling-during-application-design Modeling the application design and enumerating STRIDE threats-Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege-across all trust boundaries has proven an effective way to catch design errors early on.