My name is Antonio Fontes, I am based in Geneva (Switzerland). I've been an active member of OWASP since 2008. My main objective at OWASP is supporting our Swiss national and local chapters and making sure our members get all the support they need to better interact with OWASP.
I also spend some time doing research work on some topics in direct relation with application security. These projects include:
- Core programming skills: involves an empirical approach at identifying the core knowledge/skills that developers should learn during their initial training to immediately produce more resilient code. The project started in 2012, field testing with developers started in 2014 and we are collecting feedback to improve the list. The list now contains 9 items. The main project deliverable is a training slides deck that will be made available to teachers and trainers involved in software programming without strong emphasis on security.
- Software intrusion patterns: involves identifying the root categories of attack patterns implemented by hackers and fraudsters in order to get leverage within software. The objective is to reach an exhaustive system that allows for more sophisticated threat identification (during the threat modelling process) than the reference STRIDE model. This research involves several appsec professionals and our latest model contains 6 items. The project deliverable is the list.
- Threat Modelling - catalogue-centric approach: the main objective of this project is to accelerate one particular phase of the threat modelling process: the threat identification. The project involves creating a reference catalogue of threats, which may independently apply to certain types of software and defining a process for the selection of applicable and relevant threats within this catalogue. The process is currently under use and testing within some organizations. After a few iterations, the method will be published under OWASP (probably around mid-2017). The project deliverables includes the threat catalogue and a document explaining the process for deriving security targets from protection profiles (similar to the Common Criteria process).
You can reach me by e-mail at [email protected] or on twitter at @starbuck3000 for more information.