The document summarizes an OWASP Kyiv Winter 2019 event on threat modeling. It discusses threat modeling approaches and tools like STRIDE, Threat Dragon, and the Microsoft Threat Modeling Tool. It provides an example of threat modeling a simple 3-tier application and outlines common threat categories like spoofing, tampering, and elevation of privilege. Contact information is also included for following up on threat modeling.
Threat simulation and modeling training shows you the different sorts of threat modeling procedures and encourages you to apply threat modeling as a propelled preventive type of security. TONEX as a pioneer in security industry for over 15 years is presently declaring the threat simulation and modeling training which encourages you to perceive procedures, apparatuses and contextual investigations of effective threat modeling method.
Threat Simulation and Modeling Training course covers a variety of topics in cybersecurity area such as:
Process for attack simulation and threat analysis (PASTA)
PASTA steps
Common attack patter enumeration and classification (CAPEC)
Threat modeling with SDLC and existing threat modeling approaches.
Moreover, you will be introduced to threat analysis, weakens
and vulnerability analysis, attack modeling and simulation,
and residual risk analysis and management.
Learn About:
PASTA, objectives of risk analysis, risk centric threat modeling, and weakness and vulnerability analysis basics.
Common attack pattern enumeration such as: HTTP response splitting, SQL injection, XSS strings, phishing, buffer overflow, authentication protocol attacks or even cache poisoning.
Threat analysis approaches and principles to give you the step by step straight forward methodology to conduct the threat modeling and analysis. Moreover, a detailed introduction of existing threat modeling approaches are included in the course. Examples of such approaches can be: CVSS, CERT, DREAD, and SDL threat modeling.
Who Can Benefit from Threat Simulation and Modeling Training ?
If you are an IT professional who specialize in computer security, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of threat simulation and modeling training and will prepare yourself for your career.
Threat Simulation and Modeling Training Features :
Threat simulation and modeling training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle all the related computer threat challenges.
Our instructors at TONEX will help you to understand the step by step procedure for attack simulation and modeling such as enumerating the attack vector, assessing the probability of attacks, attack driven security tests or attack library update
Learn more about course audience, course objectives, course outline, workshop pricing, etc.
Threat Simulation and Modeling Training
https://www.tonex.com/training-courses/threat-simulation-and-modeling-training/
6 Most Popular Threat Modeling MethodologiesEC-Council
Threat modeling is one of the most effective preventive security measures, empowering cybersec professionals to put a robust cybersecurity strategy in place. So, let’s learn more about threat modeling in this SlideShare.
If you are keen to learn effective threat modeling after going through the SlideShare, click here: https://www.eccouncil.org/programs/threat-intelligence-training/
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Threat simulation and modeling training shows you the different sorts of threat modeling procedures and encourages you to apply threat modeling as a propelled preventive type of security. TONEX as a pioneer in security industry for over 15 years is presently declaring the threat simulation and modeling training which encourages you to perceive procedures, apparatuses and contextual investigations of effective threat modeling method.
Threat Simulation and Modeling Training course covers a variety of topics in cybersecurity area such as:
Process for attack simulation and threat analysis (PASTA)
PASTA steps
Common attack patter enumeration and classification (CAPEC)
Threat modeling with SDLC and existing threat modeling approaches.
Moreover, you will be introduced to threat analysis, weakens
and vulnerability analysis, attack modeling and simulation,
and residual risk analysis and management.
Learn About:
PASTA, objectives of risk analysis, risk centric threat modeling, and weakness and vulnerability analysis basics.
Common attack pattern enumeration such as: HTTP response splitting, SQL injection, XSS strings, phishing, buffer overflow, authentication protocol attacks or even cache poisoning.
Threat analysis approaches and principles to give you the step by step straight forward methodology to conduct the threat modeling and analysis. Moreover, a detailed introduction of existing threat modeling approaches are included in the course. Examples of such approaches can be: CVSS, CERT, DREAD, and SDL threat modeling.
Who Can Benefit from Threat Simulation and Modeling Training ?
If you are an IT professional who specialize in computer security, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of threat simulation and modeling training and will prepare yourself for your career.
Threat Simulation and Modeling Training Features :
Threat simulation and modeling training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle all the related computer threat challenges.
Our instructors at TONEX will help you to understand the step by step procedure for attack simulation and modeling such as enumerating the attack vector, assessing the probability of attacks, attack driven security tests or attack library update
Learn more about course audience, course objectives, course outline, workshop pricing, etc.
Threat Simulation and Modeling Training
https://www.tonex.com/training-courses/threat-simulation-and-modeling-training/
6 Most Popular Threat Modeling MethodologiesEC-Council
Threat modeling is one of the most effective preventive security measures, empowering cybersec professionals to put a robust cybersecurity strategy in place. So, let’s learn more about threat modeling in this SlideShare.
If you are keen to learn effective threat modeling after going through the SlideShare, click here: https://www.eccouncil.org/programs/threat-intelligence-training/
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this slide deck, Robert Hurlbut provides practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.
We first look at the difference between threats and attacks using intuitive examples (no rigorous definitions as we think simple explanations are the best way to get the message across. Then we look at threat modeling vs. attack modeling. We give a high level process of each of these modeling approaches.
Do you know what the steps of threat modeling and various models are? Take a look at these slides to learn.
To learn more about threat modeling, visit https://www.eccouncil.org/threat-modeling/
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this slide deck, Robert Hurlbut provides practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.
We first look at the difference between threats and attacks using intuitive examples (no rigorous definitions as we think simple explanations are the best way to get the message across. Then we look at threat modeling vs. attack modeling. We give a high level process of each of these modeling approaches.
Do you know what the steps of threat modeling and various models are? Take a look at these slides to learn.
To learn more about threat modeling, visit https://www.eccouncil.org/threat-modeling/
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
Application Security Testing for Software Engineers ,Developers and testersGustavo Nieves Arreaza
Gustavo Nieves Arreaza
1. Application Security Testing for Software Engineers ,Developers and testers.
2. Who Am I? • Software Engineer based in Chile • OWASP Viña del mar Chapter Leader • Recurrent Speaker on Application Security conferences • Head of Software Development
https://www.appsec.cl
These slides will give you an overview of Application Security Risk Assessment form an SDLC stand-point. Further, the methods used for risk assessment during various phases of SDLC are also discussed.
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
IT companies that do heavy software development have been shifting their paradigm from a traditional monolithic waterfall development lifecycle to a fully heterogeneous 24/7 devops culture. This implies more software deployment and more code developed. The traditional security approach, besides not being enough, is clearly outdated and non-applicable. This talk will tell how MercadoLibre evolved to a DevOps company, how information security was perceived and tackled then and now, what challenges we faced, what we made to drive change to a 15 years old company’s mindset, and how we are transforming into a SecDevOps culture and the way we envision that culture of work.
The Certified Soc Analyst (CSA) is a certification hosted by the EC-Council that validates IT security professionals’ skills and expertise to join a Security Operation Centre (SOC). SOC is a team of Cybersecurity professionals responsible for monitoring and responding to an organization’s security threats.
https://www.infosectrain.com/courses/certified-soc-analyst-csa-certification-training/
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...Priyanka Aash
A comprehensive application threat model demands specialized skills and expertise which might be difficult to avail considering the increasing resource gap in software security market. Making a scalable threat model framework is difficult even for big enterprises. Even the tools that help to manage the threat modeling process have limitations. In this talk, we will present control-based threat modeling to explore the possibilities of moving from a traditional threat-library based threat model to a more developer-centric threat model and how this paradigm change may add value towards developing secure software.
A review of the "lessons learned" in establishing a CISO/CSO role in two different organizations. The things that security folks DON\'T tell you...
CactusCon 2018 - Anatomy of an AppSec Program Bishop Fox
It’s 2018, and we are haunted by the same vulnerabilities from more than a decade ago.
Organizations of all sizes still struggle with very common vulnerabilities like command injection, XSS, and insecure direct object reference … despite an abundance of code scanners on the market. The OWASP Top 10 is quickly becoming irrelevant because it has barely changed in the last several years.
This is one of the most pressing issues for CISOs and there is no definitive solution. AppSec isn’t a product you can buy, it isn’t even a state that you can achieve. There is no how-to guide for application security.
But there are some qualities shared by successful AppSec programs. This talk will provide security managers and directors who struggle with application security a better understanding of those common elements and answer some questions, such as:
What are some of the critical functions of an AppSec program?
Will that work in my <insert buzzword SDLC here> environment?
Okay, so where do I start?
Exhibit your support to the Cyber Security community
Grow your employer brand at a high demand job market Increase user base of your professional products and services Extend your professional social network
Meet new partners and old friends
Find new business opportunities
Increase your brand visibility
Showcase your expertise
Share your experience
Help Ukraine’s Cyber Security industry grow and prosper!
Contact us to know more: sponsors@nonamecon.org
Cybersecurity Framework 021214 Final UAVlad Styran
Методика з підвищення рівня інформаційної безпеки критично важливих об'єктів інфраструктури.
Переклад NIST Framework for Improving Critical Infrastructure Cybersecurity.
Перекладено та social thanks to: Cisco Ukraine.
Fantastic Beasts and where to hide from themVlad Styran
My presentation at IT Weekend Lviv 2017. Overview of modern cyber threat agents and their modus operandi. Practical recommendations on how to be a less likely cyber threat.
Berezha Security was founded in 2014 and provides penetration testing services. Penetration test (pentest) - is a controlled simulation of a real hacker attack which reveals the real state of organization's information security and its ability to withstand an attack with minimal losses.
Berezha Security was established by the most experienced Ukrainian experts in the field of information security. In our work we use only reliable, proven methodologies and tools, some of which we created ourselves. Due to our own developments and vast experience we were able to significantly reduce the cost of our work and offer our customers high quality services for a perfectly balanced price, which is easy to calculate using the price calculator that is publicly available on the Berezha Security website.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
3. Application Security
The right way
1. Get AppSec training
2. Implement secure practices
3. Reach SAMM maturity level 3
4. Live happy ever after
4.
5.
6.
7. Application Security
The usual way
Client: – We are going live in 2
weeks, “check” our “security” and
tell us everything is OK.
Me: – Come back 6 months and 2
weeks ago.
8. SDLC workflow, OWASP SAMM 2 (Beta) style
Pavel Radchuk - SAMM: Understanding Agile in Security
https://speakerdeck.com/owaspkyiv/pavel-radchuk-samm-understanding-agile-in-security?slide=22
9. Threat Modeling
SAMM2 -> Design -> Threat Assessment -> Threat Modeling
Maturity level 1: Basic understanding of potential threats to the solution
“…The practice of threat modelling includes both eliciting and managing
threats. Use known good security practices (or the lack thereof) or a more
structured approach such as STRIDE to elicit threats. Threat modelling is
often most effective when performed by a group of people, allowing for
brainstorming…”
https://owaspsamm.org/v2.0b/core/design/d-threat-assessment/
10. S.T.R.I.D.E.
Threat categories
S: Spoofing
T: Tempering
R: Repudiation
I: Information leakage
D: Denial of service
E: Elevation of privilege
Workflow
1. What are we building?
2. What could go wrong?
3. What will we do about it?
4. Did we do a good job?
11. Sample app Threat Modeling session
Let’s build an app:
• Simple business function: clear idea
• Basic 3-tier architecture: API web service, DB, app(s), integrations
• Several external and internal threat actors
• Common trust boundaries: Internet and VPN
13. Microsoft Threat Modeling Tool (Demo?)
Microsoft Threat Modeling Tool
https://www.microsoft.com/en-
us/download/details.aspx?id=49168
“Microsoft Threat Modeling Tool
2016 is a tool that helps in finding
threats in the design phase of
software projects.”
14. Adam Shostack
Learning Threat Modeling for Security Professionals
https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals
15. Elevation of Privilege (EoP)
Threat Modeling Card Game
https://www.microsoft.com/en-us/download/details.aspx?id=20303
16. How to reach me
http://fb.me/vstyran
@arunninghacker
sapran@protonmail.com