In the cloud, data is not tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously. To protect data, therefore, security solutions must shift from defense of a fixed perimeter towards an approach that protects the data as it travels from physical to virtual to cloud environments.
In the post-PC era, Trend Micro envisions a smart, data-centric security framework that advances the capabilities of our cloud-based Smart Protection Network™, adds smarter threat protection that correlates local threat intelligence; smarter data protection that follows and protects your data; and unified security management that increases visibility into data access and potential attacks.
This presentation was given at the Information Security Executive Summit on 28th / 29th February 2012
In the cloud, data is not tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously. To protect data, therefore, security solutions must shift from defense of a fixed perimeter towards an approach that protects the data as it travels from physical to virtual to cloud environments.
In the post-PC era, Trend Micro envisions a smart, data-centric security framework that advances the capabilities of our cloud-based Smart Protection Network™, adds smarter threat protection that correlates local threat intelligence; smarter data protection that follows and protects your data; and unified security management that increases visibility into data access and potential attacks.
This presentation was given at the Information Security Executive Summit on 28th / 29th February 2012
• Introduction to information security.
What is information security, threat, risks, vulnerabilities, basic terms and definition?
• Building blocks of information security strategy, policies and standards.
Identify and establish country wide information security strategy, establish policies standards and procedures, implementation of different types of control objectives: managerial, technologies, business processes. Introduction to main domains of information security management system depending on international information security standard (ISO 2700x).
• Actions, roles and responsibilities.
What kind of actions is needed for information security risk treatment. Roles and responsibilities of information security professionals.
By Vasil Tsvimitidze
Digital Watermarking Applications and Techniques: A Brief ReviewEditor IJCATR
The frequent availability of digital data such as audio, images and videos became possible to the public through the expansion
of the internet. Digital watermarking technology is being adopted to ensure and facilitate data authentication, security and copyright
protection of digital media. It is considered as the most important technology in today’s world, to prevent illegal copying of data. Digital
watermarking can be applied to audio, video, text or images. This paper includes the detail study of watermarking definition and various
watermarking applications and techniques used to enhance data security.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Retail Stores and Wireless Security—RecommendationsAirTight Networks
Wireless computer networks are rapidly becoming universal. As a consumer-driven technology,
wireless was developed to be simple to install, configure and use. It is that very
simplicity, however, that has made it an easy attack vector. More than 95 percent of all
laptop computers have wireless built-in; consumers use wireless routers at home to attach
to their DSL or cable modems; cell phones and digital cameras are getting Wi-Fi enabled.
For a retailer, this means that even if you are not deploying wireless LANs in your establishments,
you have a wireless problem and you need a wireless security policy.
Bridging the Social Media Implementation/Audit GapJerod Brennen
It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
• Introduction to information security.
What is information security, threat, risks, vulnerabilities, basic terms and definition?
• Building blocks of information security strategy, policies and standards.
Identify and establish country wide information security strategy, establish policies standards and procedures, implementation of different types of control objectives: managerial, technologies, business processes. Introduction to main domains of information security management system depending on international information security standard (ISO 2700x).
• Actions, roles and responsibilities.
What kind of actions is needed for information security risk treatment. Roles and responsibilities of information security professionals.
By Vasil Tsvimitidze
Digital Watermarking Applications and Techniques: A Brief ReviewEditor IJCATR
The frequent availability of digital data such as audio, images and videos became possible to the public through the expansion
of the internet. Digital watermarking technology is being adopted to ensure and facilitate data authentication, security and copyright
protection of digital media. It is considered as the most important technology in today’s world, to prevent illegal copying of data. Digital
watermarking can be applied to audio, video, text or images. This paper includes the detail study of watermarking definition and various
watermarking applications and techniques used to enhance data security.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Retail Stores and Wireless Security—RecommendationsAirTight Networks
Wireless computer networks are rapidly becoming universal. As a consumer-driven technology,
wireless was developed to be simple to install, configure and use. It is that very
simplicity, however, that has made it an easy attack vector. More than 95 percent of all
laptop computers have wireless built-in; consumers use wireless routers at home to attach
to their DSL or cable modems; cell phones and digital cameras are getting Wi-Fi enabled.
For a retailer, this means that even if you are not deploying wireless LANs in your establishments,
you have a wireless problem and you need a wireless security policy.
Bridging the Social Media Implementation/Audit GapJerod Brennen
It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkIBM Security
The mobile banking and payments opportunity for financial institutions is tremendous, and those who offer the most secure apps will prevail over the competition. But this opportunity is not without hazards, and the effect on revenue and brand caused by hackers can be devastating.
In this webinar, IBM Security Trusteer and Arxan focuson the mobile threat landscape and leading protection techniques to safeguard mobile payments and apps.
Industry experts from IBM Security Trusteer and Arxan review:
The changes in technology that have made mobile applications so vulnerable
Emerging mobile threat vectors and what you can do to mitigate the risks
Musts for the future of your security model
View the on-demand recording: http://arxan.wistia.com/medias/036z0iw7y1
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
This primary focus of study was to investigate how cyber risks in ICT infrastructures of supply chains are managed. As its theoretical base, the study used the Adaptive Security Architecture framework that has been employed by most IT security specialists. Five experienced IT experts participated in a semi-structured interview to provide practical insights on the state of cybersecurity in supply chains operations from various industries. Their responses were analyzed based on the four stages of prediction, prevention, detection and response.
This study offers a new framework that suggests cybersecurity requires anticipatory vigilance, profiling malevolence, instantaneous response and uncompromised recovery to dealing with the cyber threats posing disruptions to supply chains.
There is no debate that companies large or small are more or less have put a lot of efforts in protect digital security and privacy with “best practice” recommendations, often use solutions from branded security vendors or built by best in-house/outsourced experts, yet they are falling prey of cyber and insider attacks, because “compliance” or “best practice” do not equal to security. The reality has shown us that traditional security approaches have fall behind the increased system complexity and advanced technical capabilities that have been mastered by adversaries.
The key weakness in our security defenses lies with the weakness of digital identities systems have been used to authenticate users (no system could defends against attacker impersonates legitimate user); follow by inability to validate the authenticity and integrity of communication (If attacker can temper with the data freely, then no need to crack the one time password) and finally incapable of protecting information from unauthorized accesses in an event of inevitable security breach because unknown system or application security vulnerabilities.
FrontOne’s information security solution addresses all security weakness listed above:
First, FrontOne uses its own digital identity that is harden to withstand advanced hackers using sophisticated real time attacks and help all its users from falling prey of identity thieves from phishing and malware attacks at client side to advanced persistent threats at the server side, because FrontOne’s digital identity is dynamic and non-transferable.
Second, FrontOne provides 100% message integrity by using dedicated and destination aware messaging system and ensure each and every message is completely unique; reducing the chance of attackers from being able to identifying and manipulating it for their benefit.
Finally, FrontOne uses its own method of protecting information at rest, in transit or in use, by focusing our innovation at the security and integrity of encryption key while using industry standardized cryptography. FrontOne’s user centric data protection solution uses dual control for its encryption keys. Random encryption key is protected with security key that has two parts, one part from the client side and other from the centralized key server. This arrangement ensures that access to protected data is available with the presence of the user device of the authorized user.
The security approaches FrontOne have taken above are further strengthened with its own patented technologies that introduce a dynamic element is each and every message and transaction, mutually authenticate both parties before a request is served and providing user with ultimate control that is not accessible digitally.
Implications of GDPR for IoT Big Data Security and Privacy FabricMark Underwood
Discussion of ways in which GDPR has, and will continue to influence the SDLC and deployment of IoT, especially as it impacts the privacy and security fabric.
Irdeto Spokesman Yuan Xiang Gu, Co-Founder & Chief Architect of Cloakware and Senior Director of Cloakware Advanced Research Center Speaks At ISI SSP Beijing 2011
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, ArduinoParis Open Source Summit
IoT is at the peak of the hype cycle - what they call the 'Peak of Inflated Expectations’. The complexity of the cybersecurity landscape is at an all-time high, with security researchers, vendors and even governments all trying to come to a consensus for making the cyber-world a safer place. In this world of lightning-fast development cycles, it may intuitively feel like security gets left behind. The battle over standards is always a struggle. The unresolved problem of software updates and short vendor support cycle combined with the lack of effort into security makes these devices an easy target. Companies not only need to update their technology stack for the evolving security landscape but also their mindset, processes and culture. This talk will shine a light on some of the challenges that today’s executives face in finding and fixing systemic problems in and outside of security through people, tools and understanding.
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain MaretSylvain Maret
Avec l’expansion des services en lignes via le cloud ou tout simplement l’interconnexion des SI, le besoin d’exposer des services vers l’extérieur est croissant. Les WebServices sont une solution
maintenant éprouvée depuis longtemps pour répondre à ce besoin.
Que l’on utilise SOAP ou REST un problème se pose toujours : comment faire pour sécuriser l’accès à mon SI alors que j’en ouvre une porte en exposant mon métier ? Cette conférence tentera de répondre à ces questions en présentant des cas concrets d’implémentation.
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Strong Authentication in Web Applications: State of the Art 2011Sylvain Maret
Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.
PHP Demo with multiotp class.
Strong Authentication in Web Application / ConFoo.ca 2011Sylvain Maret
Strong Authentication in Web Application: State of the Art 2011
* Risk Based Authentication
* Biometry - Match on Card
* OTP for Smartphones
* PKI
* Mobile-OTP
* OATH-HOTP
* TOTP
* Open Source approach
How to integrate Strong Authentication in Web Application
* OpenID, SAML, Liberty Alliance / Kantara
* API, Agents, Web Services, Modules
* PAM, Radius, JAAS
* Reverse Proxy (WAF) and WebSSO
* PKI / SSL client authentication
* PHP example with Multi-OTP PHP class
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...Sylvain Maret
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le Web 2.0?
Workshop der SATW ICT Commission
20./21. Mai 2010, Parkhotel Schloss Münchenwiler
Implementation of a Biometric Solution Providing Strong Authentication To Gai...Sylvain Maret
First- hand feedback on the implementation of identity management within a bank.
Technological choices ? Issues ? Concept and design, implementation, training and human aspects. A hands-on experience.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
iPad net-Banking Project
Technical Risk Assessment
Sylvain Maret / Security Architect / 2012-05-24
@smaret
Conseil en technologies
2. Agenda
Context
Technical Risk Assessment approach
A six step process
Threat Model – DFD
STRIDE Model
Open discussion
www.maret-consulting.ch Conseil en technologies
4. Context
Business case: enable customer access to
portfolio performance reports from mobile
equipments (iPad) located outside the
controlled network.
www.maret-consulting.ch Conseil en technologies
5. Actors Security Product
ACME Bank
Web Agency
www.maret-consulting.ch Conseil en technologies
6. The TRA relies on a series of six activities:
#1 • System characterization
#2 • Threat identification
#3 • Vulnerabilities identification
#4 • Impacts analysis
#5 • Risk characterization
#6 • Risk treatment and mitigation
www.maret-consulting.ch Conseil en technologies
8. #1 - Appropriate safeguards
The selected solution shall implement the
appropriate safeguards to maintain the overall
security to its expected level.
Required level
C I A
www.maret-consulting.ch Conseil en technologies
9. #1
Ensure service integrity:
Uncontrolled client systems mean unpredictable
request behavior
Prevent access from:
Offensive / hostile / corrupt requests
www.maret-consulting.ch Conseil en technologies
10. #1
Ensure information confidentiality:
While data travels across uncontrolled networks
While the client application is “offline” (turned-off)
While the client application is “online” (running)
Prevent access from:
Network capture:
Sniffers, gateways, cache proxies, MitM, etc.
Local capture:
Unsecure backups, memory-card access
Data interception by locally installed malware Conseil en technologies
www.maret-consulting.ch
11. #1
Consider project specific risks:
Outsourced vs. in-house development
where will security assurance come from?
Multi-disciplinary project involving three major actors:
The Bank (Acme - IT projects)
The portfolio performance reporting application (Web Agency)
The sandboxing application (Sysmosoft)
Who will be responsible for key security aspects?
www.maret-consulting.ch Conseil en technologies
12. Step #2
Threat identification
www.maret-consulting.ch Conseil en technologies
13. #2
Building a threat model
Decompose the Application
Diagramming - Data Flow Diagram - DFD
Determine and Rank Threats
STRIDE model
www.maret-consulting.ch Conseil en technologies
14. #2 - Data Flow Diagram (DFD)
Process
External entity Multiple Process
Data store Data flow Trust Boundary
www.maret-consulting.ch Conseil en technologies
16. #2 – STRIDE Model
Threat Categories
www.maret-consulting.ch Conseil en technologies
17. #2 - Threat Agents
www.maret-consulting.ch Conseil en technologies
18. #2 - Threats - iPad net-Banking - Example
www.maret-consulting.ch Conseil en technologies
19. #2 - Different threats affect each type of element
DFD Threat
Comment S T R I D E
ID ID
Unsecure backups
2 Memory-card access
T1
(iPad) Data interception by locally
installed malware
3
Sniffers, gateways, cache
(Transport- T2
proxies, MitM, etc.
Internet)
7 Offensive / hostile / corrupt
T3
(Banking- App) requests
www.maret-consulting.ch Conseil en technologies
21. #3 - Security controls - Example
Threat Family Controls
ID
T1 Feature: local mobile application Secure offline data storage
sandboxing Secure online data storage (in-
memory storage)
Secure environment validation
(OS + client application integrity)
Safeguards against malware
T2 Feature: data transport security Confidential transport
T3 Feature: secure architecture - defense in depth
- privilege separation
- trusted links & endpoint
T3 Process: secure software Presence of software security
development assurance controls in each
development lifecycle:
- Outsourced Dev
www.maret-consulting.ch
- Acme Bank Conseil en technologies
22. #3 - Vulnerabilities identification
Threat Controls V-ID Vulnerabilities
ID
T1 Secure offline data storage V100 ??
Secure online data storage (in-memory
storage)
Secure environment validation (OS +
client application integrity)
Safeguards against malware
T2 Confidential transport V200 No Application Level
Data Security
T3 - defense in depth V300 No Hardening Strategy
- privilege separation at Service Layer
- trusted links & endpoint
T3 Presence of software security assurance V400 Poor SDLC activities
controls in each development lifecycle:
- Outsourced Dev
- Acme Bank
www.maret-consulting.ch Conseil en technologies
23. #3 - V100 - unknown
Data Sharing between apps ?
Device Jailbreaking ?
Malicious legal App. ?
www.maret-consulting.ch Conseil en technologies
24. #3 - V200 - No Application Level Data Security
Banking App
www.maret-consulting.ch Conseil en technologies
25. #3 - V300 - No Hardening Strategy at Service Layer
No XML Firewall
No Mutual Trust SSL at
WS Transport Level
No Hardening at OS &
Service Level
www.maret-consulting.ch Conseil en technologies
26. #3 - V400 - Poor SDLC activities
SDL de Microsoft
www.maret-consulting.ch Conseil en technologies
28. #3 – Web Agency: software development security assurance
Project phase Assurance Security
level activities
Analysis
- involvement of a security architect
during the design process
Design
- use of automated code quality analysis
Implementation tools
Verification
Delivery
- experience with customers conducting
Operations regular security evaluations
www.maret-consulting.ch Conseil en technologies
30. #3 - Software development security assurance: Summary
Actor Assurance Conclusions
level
- Assurance level is low. Acme Bank shall agree with
Outsourced Dev vendor on minimum security assurance requirements along the
project, or establish a clear statement of responsibilities (SLA).
- Assurance level is low. Acme Bank shall define minimum
Acme Bank ? security assurance requirements with project management.
www.maret-consulting.ch Conseil en technologies
31. Step #4
Impact analysis
www.maret-consulting.ch Conseil en technologies
32. #4 – Impact analysis – Example
V-ID Description Severity Exposure
V-100 Information disclosure on iPad HIGH Additional controls
needed
V-200 Information disclosure on data MEDIUM Additional controls
transport needed
V-300 Intrusion on Banking Application HIGH Additional controls
needed
V-400 Intrusion on Banking Application HIGH Additional controls
needed
www.maret-consulting.ch Conseil en technologies
33. Step #5
Risk estimation
www.maret-consulting.ch Conseil en technologies
34. #5 – Risk estimation - Example
Tech. Business
R-ID V-ID Description Likelihood Severity
Impact Impact
R-1 V-200 Confidentiality Compliance Theft of credentials MEDIUM HIGH
Reputation or personal data
during transport
R-2 V-300 Integrity Compliance User input LOW HIGH
V-400 Reputation, tampering attempts
Operations resulting in system
compromise
R-3 -- -- -- -- -- --
R-4 -- -- -- -- -- --
R-5
R-6
www.maret-consulting.ch Conseil en technologies
36. #6 – Security controls - Example
Reco.
ID Risk Description Decision
MC
SC.1 R-1 Perform a pentest on the iPad Mitigate
application
SC.2 R-1 Implement Data encryption for transport Mitigate
SC.3 R-2 Deploy a XML Firewall in front of Web Mitigate
Service
SC.4 R-2 Perform code review Mitigate
Perform Pentest
www.maret-consulting.ch Conseil en technologies
37. Conclusion
Security in mind during the project
Iterative process
Risk Assessment during the project
Risk Assessment after deployment
Threat Modeling
A new approach
A guideline for all project
www.maret-consulting.ch Conseil en technologies
39. Who am I?
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
www.maret-consulting.ch Conseil en technologies
41. "Le conseil et l'expertise pour le choix et la mise
en oeuvre des technologies innovantes dans la sécurité
des systèmes d'information et de l'identité numérique"
www.maret-consulting.ch Conseil en technologies
43. #2 - Understanding the threats
Threat Property Definition Example
Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or
something or a system update
someone else.
Tampering Integrity Modifying data or Modifying a game config file on disk, or a
code packet as it traverses the network
Repudiation Non-repudiation Claiming to have not “I didn’t cheat!”
performed an action
Information Confidentiality Exposing Reading key material from an app
Disclosure information to
someone not
authorized to see it
Denial of Service Availability Deny or degrade Crashing the web site, sending a packet
service to users and absorbing seconds of CPU time, or
routing packets into a black hole
Elevation of Authorization Gain capabilities Allowing a remote internet user to run
Privilege without proper commands is the classic example, but
authorization running kernel code from lower trust levels
www.maret-consulting.ch is also EoP Conseil en technologies
Source: Microsoft SDL Threat Modeling