Avi Douglen, Software Security Advisor, Bounce Security presented at the Synopsys Security Event - Israel. For more information please visit us at www.synopsys.com/software
Value-driven threat modeling: Security by design - Avi Douglen - DevOpsDays T...DevOpsDays Tel Aviv
Threat Modeling is a great method to identify potential security flaws, part of any secure design. But instead of investing time + budget in a top-heavy, big-model-up-front threat modeling methodology, we can use a lightweight value-driven approach to embed security right into the agile dev process!
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon
This document discusses value-driven threat modeling, a lightweight approach to threat modeling that prioritizes security based on business value. It advocates for developers to integrate threat modeling into their workflow by focusing on the core questions of what is being built, what could go wrong, how to address issues, and ensuring quality. Specific techniques discussed include using acceptance criteria, security unit tests, abuser stories, and a threat pyramid. The approach aims to make threat modeling quicker and more natural for developers while still addressing important security risks. Some limitations are that it may miss threats and relies on developer experience, requiring an embedded security champion for complex systems.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Everett Maus, Microsoft
As shipping cycles accelerate, the only way that security teams will be able to continue to enforce a consistent security bar on shipping code and prevent obvious (or less obvious) regressions is writing tools that can detect security issues--in short, security tools are key part of DevSecOps. However, there are plenty of common pitfalls that hamper security tool rollouts, preventing them from being successful.
In this talk, we'll cover types of tools you can build to help developers ship secure code, and then dig into best practices (and worst practices) for shipping tools to large developer organizations--referencing industry papers, academic studies, and experiences from various successful (and less successful) Microsoft tooling efforts.
This talk is aimed at security experts curious about tool development or considering developing their first tools. Existing security tool developers may find some parts of it interesting, but much of it rudimentary--we won't be covering new techniques for static analysis or revolutionary new fuzzing strategies.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
Threat modeling can be challenging in agile environments where processes need to be lightweight and adaptable. The presentation discusses the OWASP STAYPUFT methodology for integrating threat modeling into agile development. It involves three phases - ascertain threats from user stories, identify threats to components, and select mitigations from common controls. Examples are given for how threat modeling can be incorporated into scrum and kanban processes by updating diagrams and assumptions during planning and reviews. The goal is to perform threat modeling iteratively to keep security risks understood and addressed throughout development.
Value-driven threat modeling: Security by design - Avi Douglen - DevOpsDays T...DevOpsDays Tel Aviv
Threat Modeling is a great method to identify potential security flaws, part of any secure design. But instead of investing time + budget in a top-heavy, big-model-up-front threat modeling methodology, we can use a lightweight value-driven approach to embed security right into the agile dev process!
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon
This document discusses value-driven threat modeling, a lightweight approach to threat modeling that prioritizes security based on business value. It advocates for developers to integrate threat modeling into their workflow by focusing on the core questions of what is being built, what could go wrong, how to address issues, and ensuring quality. Specific techniques discussed include using acceptance criteria, security unit tests, abuser stories, and a threat pyramid. The approach aims to make threat modeling quicker and more natural for developers while still addressing important security risks. Some limitations are that it may miss threats and relies on developer experience, requiring an embedded security champion for complex systems.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Everett Maus, Microsoft
As shipping cycles accelerate, the only way that security teams will be able to continue to enforce a consistent security bar on shipping code and prevent obvious (or less obvious) regressions is writing tools that can detect security issues--in short, security tools are key part of DevSecOps. However, there are plenty of common pitfalls that hamper security tool rollouts, preventing them from being successful.
In this talk, we'll cover types of tools you can build to help developers ship secure code, and then dig into best practices (and worst practices) for shipping tools to large developer organizations--referencing industry papers, academic studies, and experiences from various successful (and less successful) Microsoft tooling efforts.
This talk is aimed at security experts curious about tool development or considering developing their first tools. Existing security tool developers may find some parts of it interesting, but much of it rudimentary--we won't be covering new techniques for static analysis or revolutionary new fuzzing strategies.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
Threat modeling can be challenging in agile environments where processes need to be lightweight and adaptable. The presentation discusses the OWASP STAYPUFT methodology for integrating threat modeling into agile development. It involves three phases - ascertain threats from user stories, identify threats to components, and select mitigations from common controls. Examples are given for how threat modeling can be incorporated into scrum and kanban processes by updating diagrams and assumptions during planning and reviews. The goal is to perform threat modeling iteratively to keep security risks understood and addressed throughout development.
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
The document provides guidance on implementing simple yet effective security defenses to thwart cyber attacks. It recommends building security programs with key components like policies, baselines, risk acceptance models and checklists for application security reviews. Specific defenses include user awareness training, least privileged access, patching, network segmentation, input validation, logging and encryption. The document argues that with the right foundations, organizations do not need large budgets for security and can prevent common hacking techniques.
DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task.
While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator.
This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions.
This was presented as a we45 Webinar on April 12, 2018
The document discusses application security best practices. It notes that 60% of internet attacks target web applications, with SQL injection and XSS making up 80% of vulnerabilities. It recommends that security be incorporated throughout the entire software development lifecycle, from requirements to testing. Key steps include threat modeling, secure coding practices, code reviews, fuzz testing and penetration testing. Ongoing maintenance is also important.
The document discusses threat modeling and application security testing. It begins by noting a lack of secure coding knowledge among developers and testers. It then uses an analogy comparing building applications to building cars, noting many similarities in unsecure practices. This is followed by sections on vulnerabilities versus security, common application vulnerabilities, and industry solutions. The document concludes by discussing threat modeling and provides an example using the OWASP Threat Dragon tool.
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Brad Andrews, CEO, RBA Communications
Threat Modeling Overview
This session will cover the basic elements of threat modeling, looking at what it does and why it is important. The goal is to provide a high level overview of the process and the use of things like data flow diagrams to look for trust boundaries attacks may come across. We will go through some common threats and hopefully a list of dangers to watch out for when carrying out threat modeling. The session will then work to interactively develop a flow diagram of Amazon.com and possibly another subject if we have time. This will all be based on looking at the system as a user, without any insider knowledge, though Threat Modeling is normally carried out by those who do know the system well.
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
1. Cybersecurity risk management involves identifying vulnerabilities and risks, assessing their likelihood and impact, and implementing measures to reduce risks to acceptable levels.
2. A risk analysis was presented that identifies assets, threats, vulnerabilities, assesses impact of threats, likelihood of vulnerabilities being exploited, and determines overall risk levels.
3. Managing cybersecurity risk is a team effort that requires addressing both technical risks like vulnerabilities in systems, as well as human risks from employees through training to reduce threats.
The document outlines the agenda for a threat modeling workshop. The workshop includes three sessions: (1) BYOTM where attendees bring their own threat models to work on together, (2) an advanced threat modeling session on applying rapid techniques in a DevOps environment, and (3) an introductory threat modeling primer. The document then provides more details on topics covered in each session, including customizing approaches to organizational needs, key threat modeling terms, and frameworks that can be used. It emphasizes the importance of focusing threat modeling efforts on adding value and keeping practices sustainable.
Injecting Threat Modeling into the SDLC by Susan BradleyQA or the Highway
The document discusses injecting threat modeling into the software development lifecycle (SDLC). It provides examples of security issues that could have been prevented with threat modeling, such as the Equifax data breach. Threat modeling is a structured approach to identify, quantify, and address security risks. It should be used during requirements, design, and development phases of both new and existing functionality. The process involves data flow diagrams, identifying threats and proposed responses, prioritizing mitigations, and using techniques like STRIDE. Threat modeling sessions should gather documentation and cross-functional teams to holistically understand risks. Identified risks are then evaluated and prioritized to determine how to handle each risk.
This document discusses implementing a secure software development lifecycle (SDLC) to improve application security. It outlines why the traditional approach of only involving security experts does not work. Instead, it proposes integrating security practices throughout each phase of the development process, including requirements, design, implementation, verification, and release. This includes training developers, conducting threat modeling and security testing, using security tools in continuous integration, and analyzing results to address issues early. The goal is to reduce security defects over time by changing developer mindsets and integrating security as applications are built.
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...PimJacobs3
Attack Surface Reduction rules in Windows Defender can help defend against ransomware attacks by reducing common techniques used by ransomware. The rules target suspicious software behaviors to prevent attacks. There are different rule categories and operating modes that can be used. Configuring and monitoring the rules through Endpoint Manager was demonstrated. Tips were provided on how and where to start implementing Attack Surface Reduction rules, such as creating individual policies, using audit mode initially, and using Advanced Hunting queries to identify compatibility issues. Resources for further information on Attack Surface Reduction rules were also shared.
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
The document discusses security best practices across the software development lifecycle (SDLC). It covers:
- The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process.
- Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered.
- DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous
This document discusses integrating security practices into agile software development processes. It begins with an overview of agile development principles and how security frameworks can sometimes conflict with an agile approach. It then discusses strategies for collaborating with development teams on security, including designating security champions within teams and providing customized security training. The document closes by highlighting the importance of catching security issues early in the development process, citing statistics about the frequency and costs of breaches that result from insecure software releases.
Die Zeiten ändern sich und verlangen immer mehr Aufmerksamkeit. Dies trifft speziell im Bereich Open-Source-Software zu. Die Komplexität gerade in der Technologiebranche ist enorm, gerade wenn der Sicherheitsaspekt eine wichtige Rolle spielt.
Die Nutzung von Open-Source ist bereits beachtlich und nimmt stetig zu. Im Vergleich zum letzten Jahr ist die Anzahl der Unternehmen, die OSS verwenden enorm gestiegen. In Deutschland setzen 69% der befragten Unternehmen OSS ein und der Trend steigt stetig. Im globalen Vergleich verwenden laut des OSSRA Berichts 2019 (Open Source Sicherheits-und Risikoanalyse) 60% der befragten Unternehmen Open Source im analysierten Code im Jahr 2018; eine 3%ige Steigerung zum Vorjahr.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
More Related Content
Similar to Synopsys Security Event Israel Presentation: Value Driven Threat Modeling
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
The document provides guidance on implementing simple yet effective security defenses to thwart cyber attacks. It recommends building security programs with key components like policies, baselines, risk acceptance models and checklists for application security reviews. Specific defenses include user awareness training, least privileged access, patching, network segmentation, input validation, logging and encryption. The document argues that with the right foundations, organizations do not need large budgets for security and can prevent common hacking techniques.
DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task.
While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator.
This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions.
This was presented as a we45 Webinar on April 12, 2018
The document discusses application security best practices. It notes that 60% of internet attacks target web applications, with SQL injection and XSS making up 80% of vulnerabilities. It recommends that security be incorporated throughout the entire software development lifecycle, from requirements to testing. Key steps include threat modeling, secure coding practices, code reviews, fuzz testing and penetration testing. Ongoing maintenance is also important.
The document discusses threat modeling and application security testing. It begins by noting a lack of secure coding knowledge among developers and testers. It then uses an analogy comparing building applications to building cars, noting many similarities in unsecure practices. This is followed by sections on vulnerabilities versus security, common application vulnerabilities, and industry solutions. The document concludes by discussing threat modeling and provides an example using the OWASP Threat Dragon tool.
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Brad Andrews, CEO, RBA Communications
Threat Modeling Overview
This session will cover the basic elements of threat modeling, looking at what it does and why it is important. The goal is to provide a high level overview of the process and the use of things like data flow diagrams to look for trust boundaries attacks may come across. We will go through some common threats and hopefully a list of dangers to watch out for when carrying out threat modeling. The session will then work to interactively develop a flow diagram of Amazon.com and possibly another subject if we have time. This will all be based on looking at the system as a user, without any insider knowledge, though Threat Modeling is normally carried out by those who do know the system well.
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
1. Cybersecurity risk management involves identifying vulnerabilities and risks, assessing their likelihood and impact, and implementing measures to reduce risks to acceptable levels.
2. A risk analysis was presented that identifies assets, threats, vulnerabilities, assesses impact of threats, likelihood of vulnerabilities being exploited, and determines overall risk levels.
3. Managing cybersecurity risk is a team effort that requires addressing both technical risks like vulnerabilities in systems, as well as human risks from employees through training to reduce threats.
The document outlines the agenda for a threat modeling workshop. The workshop includes three sessions: (1) BYOTM where attendees bring their own threat models to work on together, (2) an advanced threat modeling session on applying rapid techniques in a DevOps environment, and (3) an introductory threat modeling primer. The document then provides more details on topics covered in each session, including customizing approaches to organizational needs, key threat modeling terms, and frameworks that can be used. It emphasizes the importance of focusing threat modeling efforts on adding value and keeping practices sustainable.
Injecting Threat Modeling into the SDLC by Susan BradleyQA or the Highway
The document discusses injecting threat modeling into the software development lifecycle (SDLC). It provides examples of security issues that could have been prevented with threat modeling, such as the Equifax data breach. Threat modeling is a structured approach to identify, quantify, and address security risks. It should be used during requirements, design, and development phases of both new and existing functionality. The process involves data flow diagrams, identifying threats and proposed responses, prioritizing mitigations, and using techniques like STRIDE. Threat modeling sessions should gather documentation and cross-functional teams to holistically understand risks. Identified risks are then evaluated and prioritized to determine how to handle each risk.
This document discusses implementing a secure software development lifecycle (SDLC) to improve application security. It outlines why the traditional approach of only involving security experts does not work. Instead, it proposes integrating security practices throughout each phase of the development process, including requirements, design, implementation, verification, and release. This includes training developers, conducting threat modeling and security testing, using security tools in continuous integration, and analyzing results to address issues early. The goal is to reduce security defects over time by changing developer mindsets and integrating security as applications are built.
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...PimJacobs3
Attack Surface Reduction rules in Windows Defender can help defend against ransomware attacks by reducing common techniques used by ransomware. The rules target suspicious software behaviors to prevent attacks. There are different rule categories and operating modes that can be used. Configuring and monitoring the rules through Endpoint Manager was demonstrated. Tips were provided on how and where to start implementing Attack Surface Reduction rules, such as creating individual policies, using audit mode initially, and using Advanced Hunting queries to identify compatibility issues. Resources for further information on Attack Surface Reduction rules were also shared.
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
The document discusses security best practices across the software development lifecycle (SDLC). It covers:
- The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process.
- Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered.
- DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous
This document discusses integrating security practices into agile software development processes. It begins with an overview of agile development principles and how security frameworks can sometimes conflict with an agile approach. It then discusses strategies for collaborating with development teams on security, including designating security champions within teams and providing customized security training. The document closes by highlighting the importance of catching security issues early in the development process, citing statistics about the frequency and costs of breaches that result from insecure software releases.
Similar to Synopsys Security Event Israel Presentation: Value Driven Threat Modeling (20)
Die Zeiten ändern sich und verlangen immer mehr Aufmerksamkeit. Dies trifft speziell im Bereich Open-Source-Software zu. Die Komplexität gerade in der Technologiebranche ist enorm, gerade wenn der Sicherheitsaspekt eine wichtige Rolle spielt.
Die Nutzung von Open-Source ist bereits beachtlich und nimmt stetig zu. Im Vergleich zum letzten Jahr ist die Anzahl der Unternehmen, die OSS verwenden enorm gestiegen. In Deutschland setzen 69% der befragten Unternehmen OSS ein und der Trend steigt stetig. Im globalen Vergleich verwenden laut des OSSRA Berichts 2019 (Open Source Sicherheits-und Risikoanalyse) 60% der befragten Unternehmen Open Source im analysierten Code im Jahr 2018; eine 3%ige Steigerung zum Vorjahr.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
• The threat landscape continues to evolve.
• Application portfolios and their risk profiles continue to shift.
• Security tools are difficult to deploy, configure, and integrate into workflows.
• Consumption models continue to change.
How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
• The threat landscape continues to evolve.
• Application portfolios and their risk profiles continue to shift.
• Security tools are difficult to deploy, configure, and integrate into workflows.
• Consumption models continue to change.
How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
For more information, please visit our website at https://www.synopsys.com/software-integrity/managed-services.html
During a recent webinar, Jonathan Knudsen presented: "That's Not How This Works: All Development Should Be Secure."
Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Webinar attendees will learn:
• Why traditional approaches to software development usually end in tears and heartburn
• How a structured approach to secure software development lowers risk for you and your customers
• Why automation and security testing tools are key components in the implementation of a secure development life cycle
For more information, please visit our website at www.synopsys.com/software-integrity.html
Companies’ use of open source software has surpassed the occasional and solidified itself as the mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether a company is acquiring another company, preparing for acquisition or simply wanting to manage their use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?
For more information, please visit our website at https://www.synopsys.com/open-source-audit
During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers."
19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
For more information, please visit our website at www.synopsys.com/standards
During a recent webinar, West Monroe discussed, "The State of Open Source in M&A Transactions."
Based extensive experience in M&A, West Monroe Partners is on the front line when it comes to tech due diligence, and they’ve seen a few trends emerge when it comes to open source and M&A deals. Buyers and seller alike need to understand these trends to get the most value out of any transaction.
For more information, please visit our website at www.synopsys.com/open-source-audit
Vulnerabilities are an inevitable part of software development and management. Whether they’re in open source or custom code, new vulnerabilities will be discovered as a codebase ages. As stated in the 2019 Open Source Security and Risk Analysis report, 60% of the codebases audited in 2018 contained at least one known vulnerability. As the number of disclosures, patches, and updates grows, security professionals must decide which critical items to address immediately and which items to defer.
For more information, please visit our website at www.synopsys.com/software.
Dan Sturtevant, Silverthread and Niles Madison at Synopsys discussed design quality and code quality on a recent webinar.
In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software prior to doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly and laborious. This can significantly impact the long-term viability of the application, and maintaining that software can seriously degrade ROI. That’s why understanding a software system’s design or architectural health and the likely 'cost of ownership' is key..
For more information, please visit our website at https://www.synopsys.com/open-source-audit
During a recent webinar, Andrew Vanderstock, senior principal consultant at Synopsys presented "Using Evidence-Based Security in Your Secure Development Life Cycle." For more information on our products and services, please visit our website at www.synopsys.com/software.
The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. The team delivers a customer-focused vulnerability feed comprising open source vulnerability reports called BDSAs (Black Duck Security Advisories). These reports are timely, accurate, and packed with relevant actionable information.
In this webinar, Siobhan Hunter, security research lead, reveals why the high-quality content of the BDSA feed is best in class, with examples of how our BDSA feed compares with the NVD and insights into how we discover and deliver valuable vulnerability information for our customers every day. For more information, please visit our website at https://www.synopsys.com/cyrc
This document summarizes a study on why investing in application security (appsec) matters for financial services organizations. The study found that over 50% of financial services firms had experienced theft of customer data due to insecure software. It also found that on average, only 34% of financial software and technology is tested for cybersecurity vulnerabilities. While addressing cybersecurity risks is important, the study noted that financial organizations face resource constraints, with only 45% believing they have adequate budgets for security and only 38% having necessary security skills. The document promotes the software integrity tools offered by Synopsys to help organizations build more secure software faster and address these challenges.
Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks. For more information, please visit our website at www.synopsys.com/open-source-audit
In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. For more information, please visit www.synopsys.com/auto
During a recent webinar attendees learned how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We covered: • The types of risk around open source software • Why depth of analysis matters, and what it results in during M&A diligence • Why accuracy, reporting, and expert human analysis are keys to thorough diligence.
For more information, please visit our website at www.synopsys.com/open-source-audit
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Alors que l’adoption de DevOps pour des organisations Agile était une transition naturelle, le passage à DevSecOps a introduit de nouveaux défis. DevSecOps nécessite un changement important de mentalité et de culture d'entreprise pour intégrer les nouveaux outils et les nouvelles activités de sécurité. C’est la raison pour laquelle suivre le rythme d’Agile et la culture DevOps lors de l’introduction de la sécurité dans le cycle de développement logiciel (SDLC) est un défit pour de nombreuses entreprises.
Dans ce webinaire, Cem Nisanoglu explore le modèle opérationnel de DevSecOps et souligne l'importance de la gestion des changements, de l'automatisation, et des indicateurs de sécurité dans une transition vers DevSecOps, ainsi que la manière dont ces activités peuvent contribuer à la formation de sécurité, à des cycles de release plus rapides, et à l'optimisation des budgets de sécurité dans l’entreprise.
Tim Mackey is a principal security strategist with the Synopsys Cybersecurity Research Center(CyRC). Within this role, he engages with various technical and business communities to understand how application security is evolving with ever-expanding attack surfaces and increasingly sophisticated threats. He specializes in container security, virtualization, cloud technologies, distributed systems engineering, mission critical engineering, performance monitoring, and large-scale data center operations. Tim takes the lessons learned from these activities and delivers talks globally at conferences like RSA, KubeCon and InfoSec. For more information, please visit www.synopsys.com/software.
During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process.
For more information, please visit our website at www.synopsys.com/open-source-audit
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESanfaltahir1010
Image: Include an image that represents the concept of precision, such as a AI helix or a futuristic healthcare
setting.
Objective: Provide a foundational understanding of precision medicine and its departure from traditional
approaches
Role of theory: Discuss how genomics, the study of an organism's complete set of AI ,
plays a crucial role in precision medicine.
Customizing treatment plans: Highlight how genetic information is used to customize
treatment plans based on an individual's genetic makeup.
Examples: Provide real-world examples of successful application of AI such as genetic
therapies or targeted treatments.
Importance of molecular diagnostics: Explain the role of molecular diagnostics in identifying
molecular and genetic markers associated with diseases.
Biomarker testing: Showcase how biomarker testing aids in creating personalized treatment plans.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Real-world case study: Present a detailed case study showcasing the success of precision
medicine in a specific medical scenario.
Patient's journey: Discuss the patient's journey, treatment plan, and outcomes.
Impact: Emphasize the transformative effect of precision medicine on the individual's
health.
Objective: Ground the presentation in a real-world example, highlighting the practical
application and success of precision medicine.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions for handling and analyzing vast
datasets.
Visuals: Include graphics representing data management challenges and technological solutions.
Objective: Acknowledge the data-related challenges in precision medicine and highlight innovative solutions.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Paul Brebner
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
2. Summary
■ Threat Modeling is great, but not used enough
■ Developers should Threat Model too!
– Not just security
■ Prioritize by business value
■ Make it quick, make it lightweight, make it Agile
3.
4. About Me
■ Email: AviD@BounceSecurity.com
■ Twitter: @sec_tigger
■ He / Him
■ The important things:
– Whisky: smokey
– Beer: stout
– Coffee: strong
■ Software Security @
■ Researcher / Developer / Architect
■ OWASP Israel Leader
■ Moderator Security.StackExchange
■ Volunteer High School teacher
■ Threat Model Project Leader
5. What is Threat Modeling?
■ Structured security-based analysis
■ Framework to understand threats
■ Review of Design Elements
■ Prioritize Mitigations by Risk
6. “Classic” Threat Modeling
■ Data Flows and Attack Surface
■ Focus on Assets, Trust Boundaries
■ Visually with DFDs or other diagrams
■ Step#0: Scoping the Model
■ Step#1: Decompose the Application
■ Step#2: Identify the Threats (and risk level)
■ Step#3: Determine the Countermeasures
■ Step#4: Analyze Result
30. Back to Basics
■ 4 core questions of threat modeling:
1. What are you building?
2. What can go wrong?
3. What are you going to do about it?
4. Did we do a good job?
■ “All Threat Models are wrong, some are useful”
31. Reframing TM
■ Accept that it’s wrong, focus on the usefulness
1. Why are we building this?
2. What needs to go right?
3. How do we make sure that happens?
32.
33. Value Driven Process
■ Start from standard baseline
– Skip obvious threats (e.g. XSS, HTTPS)
– Relies on basic code hygiene
– Security training for all developers and testers!
– Threat Library
■ Threat model each User Story / Epic
– During “Discovery” or Sprint Planning
– Agile approach of “just enough” threat model
– Threat model goes into the User Story
34. Value Driven Process
■ Find the value of each feature
– Follow the money!
– How do people die?
35. Value Driven Process
■ State story goals
■ Describe correct flow and conditions
■ Highlight assumptions and failure states
■ Validate assumptions and enforce conditions
■ Explicitly handle failure states
36. Value Driven for Non-Developers
■ Result of Threat Model:
x Cross Site Request Forgery
(CSRF) <->
x Stored XSS <->
x AuthZ Bypass <->
x Denial of Service <->
■ Black-Box Threat Modeling
ü Unauthenticated Access to Cash
Transfer
ü Admin Takeover
ü Change Delivery Address
ü Loss of Revenue/Market
37. Benefits over Classic TM
■ Much quicker – faster to useful TM
■ In tune with pace of development
■ Iterative – just like agile development
■ More natural for developers
■ Documentation always up to date
■ Better communication
■ Easier to integrate with eg Scrum, Kanban
■ Don’t need piles of consultants
■ Scalable
38. Limitations
■ Not complete
■ Misses a LOT of threats
■ Relies on developer experience
■ Security champion must be part of team
■ Low assurance for high risk systems
39. Summary
■ Developers – start threat modeling!!
■ TM should be part of dev workflow
■ Focus on business value
■ Start with the useful part of TM – and stop there
■ Skip the overkill – until you really need it