Date: Friday, 20th May 2016, 18:00
Event sponsors: KPMG
Workshop: Secure Application Design and Cyber-Attack Simulation & Testing Using Risk Centric Threat Modelling
The presentation will cover the fundamentals and the practice of using threat modelling to review the design of web and mobile applications and identify design flaws that lead to security weaknesses. Learn how to mitigate threats with the design of security controls and countermeasures and security test cases that can be derived from use and abuse cases and attack vectors to identify vulnerabilities in web and mobile applications. The overall workshop consists of two sessions of one hour each: the first session will provide attendees with an understanding of the fundamentals of threats, attacks vulnerabilities and impact on the data assets. The second session will provide example on how to conduct threat modelling including analysis of the threats affecting a specific application software, the modelling of the attack vectors, the derivation of specific security requirements for the design of the web application during the SDLC and the derivation of test cases to simulate the behaviour of either a web or mobile application under specific types of attacks.
Part I: Threat Modelling Fundamentals
The course will introduce the audience to basic threat and risk terminology, explain the relationships between information security threats, attacks, vulnerabilities, assets and impact on these from technical and business impacts perspectives. We will cover different methodologies to analyze threats to and for the modeling of attacks and data, methods for analyze the application design to identify the design flaws, methods for deriving test cases using use and abuse cases and methods for assigning severity to the risk of the issues being identified.
Part II: Threat Modelling Process Walkthrough
A new threat modelling process for simulating attacks and analyse threats will be introduced and will be shown how can be used by security architects to identify design flaws, by pen testers to conduct specific types of tests and by information security managers to manage the risk of targeted cyber-attacks against web and mobile applications. A process walkthrough will cover with examples the various activities that need to be followed to conduct threat modelling during the SDLC such as to derive security requirements for the secure design of applications, data flow diagrams to analyse security controls in the application architecture, threat analysis to analyse specific types of threats to the application assets and attack modelling to derive attack vectors that along with use and abuse cases can be used to derive test cases for simulating real attacks against web and mobile applications. For information risk managers, we will show how threat modelling is a critical assessment that can help to identify countermeasures to mitigate the risk of sophisticated cyber-threats such as malware threats, data compromise threats and denial of service attack threats.
Bio: Dr. Marco Morana volunteers for the OWASP organization as project leader of the application security guide for CISOs and is current member OWASP London chapter.
In his current professional role, Dr. Morana works as Senior VicePresident at large Financial Institution (FI) in London, UK where he is responsible for the architecture, risk analysis, and threat modelling program. Dr. Morana also leads strategic initiatives to identity new countermeasures for mitigating the risks of sophisticated cyber-threats targeting web and mobile applications.
In his distinguished 15+ years of career in application security, Dr. Morana held roles in different companies as security consultant, application security architect, professional trainer and program manager. As cyber-security technologist, Dr. Morana most important contributions to cyber-security is the invention of the first secure email plug-in using SMIME protocol that was patented for NASA in 1996.
Dr. Morana has been the advisor of the EU funded project on cyber-crime roadmap research CyberROAD and provide lectures yearly at the PhD Summer School on Computer Security & Privacy at University of Cagliari Italy.
Dr. Morana has been an active contributor to the OWASP organization since 2005 volunteering for the following projects: application security guide for CISOs , OWASP security testing guide , the OWASP Source Code Review Project and OWASP Security Analysis of Core J2EE Design Patterns Project and most recently the OWASP cyber-security startup accelerator initiative
His work on application and software security has been widely published on In-secure magazine,Secure Enterprise, ISSA Journal as well as DHS Software Security Assurance and the most recent work is Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Book published by Wiley in 2015.