Adam Shostack presented on lessons learned from threat modeling. He discussed common traps to avoid, such as thinking threat modeling is easy or only for specialists. He outlined a simple approach using four questions: what are we working on, what can go wrong, what are we going to do about it, and how will we know if we're successful. Shostack also discussed the STRIDE mnemonic for categorizing threats and provided examples of mitigations for each category. His top ten lessons emphasized that anyone can threat model with the right skills and techniques.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Threat modeling is about thinking what bad can happen and what can you do about it. It can also find logical flaws and reveal problems in the architecture or software development practices. These vulnerabilities cannot usually be found by technical testing.
Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your penetration testing to the most risky parts of the system. The beauty of threat modeling is that you can assess security already in the design phase. In addition, it is something every team member can participate in because it doesn't require any source code, special skills, or tools. Threat modeling is for everyone: developers, testers, product owners, and project managers.
The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn to analyze use cases for finding business level threats. The presentation also includes practical tips for arranging threat workshops and representing your results.
This presentation was held in the Diana Initiative 2018 and Nixucon 2018 conferences.
Workshop content to support a half day training session on threat modeling, specifically focusing on Hacker Stories / Rapid Threat Modeling / VAST / Misuse or Abuse Cases. This content is focused on orienting someone new to threat modeling, then subsequently how to get started with threat modeling in a devops world.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
This is the presentation from Null/OWASP/g4h November Bangalore MeetUp by Shivendra Saxena.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
This topic would deal with the introduction to threat modeling. We'll discuss about the process of brainstorming about the issues which might appear when the product gets built. Will discuss about the STRIDE model and about the importance of the eraky detection of the security issues.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Threat modeling is about thinking what bad can happen and what can you do about it. It can also find logical flaws and reveal problems in the architecture or software development practices. These vulnerabilities cannot usually be found by technical testing.
Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your penetration testing to the most risky parts of the system. The beauty of threat modeling is that you can assess security already in the design phase. In addition, it is something every team member can participate in because it doesn't require any source code, special skills, or tools. Threat modeling is for everyone: developers, testers, product owners, and project managers.
The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn to analyze use cases for finding business level threats. The presentation also includes practical tips for arranging threat workshops and representing your results.
This presentation was held in the Diana Initiative 2018 and Nixucon 2018 conferences.
Workshop content to support a half day training session on threat modeling, specifically focusing on Hacker Stories / Rapid Threat Modeling / VAST / Misuse or Abuse Cases. This content is focused on orienting someone new to threat modeling, then subsequently how to get started with threat modeling in a devops world.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
This is the presentation from Null/OWASP/g4h November Bangalore MeetUp by Shivendra Saxena.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
This topic would deal with the introduction to threat modeling. We'll discuss about the process of brainstorming about the issues which might appear when the product gets built. Will discuss about the STRIDE model and about the importance of the eraky detection of the security issues.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
Dragos discusses the quickly rising tensions between the US, Russia, and Iran, threat intelligence on malicious activity surrounding these tensions, and recommended responses to defend industrial control systems and critical infrastructure worldwide.
Presentations included from Dragos Threat Intelligence following these threats and the Dragos Threat Operations Center currently responding and defending against these threats.
Visit www.dragos.com for more info about industrial cybersecurity
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy.
Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
Anatomy 101 of how and what threats actually do in your network. In this session, we will pick a well-known threat and go through the cycle of how actors behave and how security teams can deter, detect, respond and validate using Core Security products.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
Dragos discusses the quickly rising tensions between the US, Russia, and Iran, threat intelligence on malicious activity surrounding these tensions, and recommended responses to defend industrial control systems and critical infrastructure worldwide.
Presentations included from Dragos Threat Intelligence following these threats and the Dragos Threat Operations Center currently responding and defending against these threats.
Visit www.dragos.com for more info about industrial cybersecurity
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy.
Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
Anatomy 101 of how and what threats actually do in your network. In this session, we will pick a well-known threat and go through the cycle of how actors behave and how security teams can deter, detect, respond and validate using Core Security products.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
Overview of key best practices, antipatterns, and more for security operations (SecOps/SOC)
These slides were used during Mark Simos' Tampa BSides talk on "The no BS SOC" on April 6, 2024
• How Software Development Methodologies may increase the security level
• Detecting and handling vulnerabilities in dependencies in a pragmatic way
• High-level principles that ~always increase the security level
-Microsoft Security Development Lifecycle practices
-What is Dev SecOps
-Static and Dynamic Application Security Testing
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
SOC Meets Cloud: What Breaks, What Changes, What to Do?
originally presented at Mandiant mWise 2023 by Dr Anton Chuvakin of Google Cloud Office of the CISO
Cloud changes everything (does it though?), including how we do threat detection and incident response in the SOC. As we continue to transform our attack surfaces, how do we make sure our detection and response are done "the cloud way"? There were also cases where both business and IT migrated to the cloud, but security was left behind and had to approach cloud challenges with on-premise tools and practices. How should a SOC born before cloud deal with cloud? What to watch for? What changes? What breaks? What stays the same?
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
Despite being around for well over six years, the position of a "cyber threat analyst" is one that is still not yet clearly defined. The lack of definition is due to the positions popularity and infancy. This talk isn't about stating which definition is right or wrong. This presentation is about the set of skills, concepts and theories which enable an analyst to be successful under any definition of "cyber threat analyst". For beginners it is a road-map. For experienced analysts it is a cross-pollination of ideas.
I was extremely excited and nervous to deliver the first non-keynote presentation at bsides NOVA 2017. The actual presentation is posted to youtube: https://www.youtube.com/watch?v=Xzd4ousd8-U&list=PLNhlcxQZJSm95e9Z5mvkAk5H3eEBFuVSf&index=19
Similar to Threat Modeling Lessons from Star Wars (20)
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
3. Why Are We Here Today?
• Engineermore secure systems
• Structured, systematicand comprehensiveapproach
• Engineera consistent& predictable lack of surprise
• Works for you (as people, organization and ecosystem)
17. STRIDE Mnemonic
• Spoofing
• Tampering
• Repudiation
• InformationDisclosure
• Denialof Service
• Elevation of Privileges
…Helps us be structured in how we thinkabout threats
19. What Are We Going To Do About
It?
Threat Property Mitigation approach
Spoofing Authentication Passwords, multi-factor authN
Digital signatures
Tampering Integrity Permissions/ACLs
Digital signatures
Repudiation Non-Repudiation
(Accountability)
Secure logging and auditing
Digital Signatures
Information Disclosure Confidentiality Encryption
Permissions/ACLS
Denial of Service Availability Permissions/ACLs
Filtering
Quotas
Elevation of privilege Authorization Permissions/ACLs
Input validation
22. Trap #1: “Search your feelings!”
• “ThinkLikeAn Attacker”
• Serious work is helped by structure
Fix
Trap
23. Trap #2: “You’re Never Done Threat
Modeling”
Model
Identify
Threats
Mitigate
Validate
Model
Identify
Threats
Mitigate
Validate
24. Trap #3: “The Way To Threat Model
Is…”
• Too much focus on specifics of how
– Use this framework (STRIDE)
– With this diagram type
• Focus on helpingpeople find good threats
• Focus on differentskills, systems
– Developers
– Operations
Fix
Trap
26. Security mavens Experts in other areas
Trap #3: “The Way To Threat Model
Is…”
Software
Systems
27. Trap #4: Threat Modeling as One Skill
• “I should learn tothreatmodel”
• Thinkof threatmodeling
– Likesoftwaredevelopment
– Techniques&repertoire
• Technique: DFDs,STRIDE,Attacktrees
• Repertoire:
– Tools:Firesheep,Hydra,Kali
– Books:Cuckoo'sEggtoCountdowntoZeroDay
• Allused toanalogize& reason about newsystems
Trap
Fix
28. Trap #5: “Threat Modeling is Easy”
• Thinkingyour first threatmodel will be easy
• “Driving is easy”
• Onceyou learn
• 40,000 US deaths peryear
• Planto work, build muscle
Trap
Fix
29. Trap #6: Threat Modeling is for
Specialists
• ThinkingTM is for specialists
• Make it likeversion control:
– Every developer, most sysadmins know some
– Some orgs have fulltime people managing trees
• This is a stretch goal for threatmodeling
Trap
Fix
30. Trap #7: The Wrong Focus
• Start from your assets
• Start by thinkingaboutyour attackers
• Threat modeling should focus on findingthreats
• Remember trap #3: “The way to threatmodel is”
• Startingfrom assets or attackers work for some people
Trap
Fix
31. Trap #8: Straining Against The Supply
Chain
• Trying to do it all
– Cost & feasibilityof fixeschanges
– Threats are “easy” to address at different parts
• SoC chipmakercan ship trusted boot
• Developers can addlogging, not seeonsite logs
• Thinkabout an alliance along your supply chain
– Security Operations Guide
– Non-requirements
Trap
Fix
33. Trap #10: Threat Model at the Wrong
Time
“Sir, we’veanalyzed their attack
pattern, and …
there is a danger”
34. Summary
• Anyone can threat model, and everyone should…soon!
• The skills, techniquesand repertoire can all be learned
• There are many traps
• Threat modeling can be the most effectiveway to drive security throughyour
product, service or system
35. “All models are wrong,
some models are useful”
— George Box, FRS