This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Bristol"

Jump to: navigation, search
Line 21: Line 21:
= Next Meeting =
= Next Meeting =
* Thu Jul 21 - register at
* Thu Sep 15 - register at
* Thu Nov 17 - register at:
'''Date''': Friday, 20th May 2016, 18:00
'''Location''': KMPG
'''Event sponsors''': KPMG
'''Workshop''': Secure Application Design and Cyber-Attack Simulation & Testing Using Risk Centric Threat Modelling
'''Event Summary'''
The presentation will cover the fundamentals and the practice of using threat modelling to review the design of web and mobile applications and identify design flaws that lead to security weaknesses. Learn how to mitigate threats with the design of security controls and countermeasures and security test cases that can be derived from use and abuse cases and attack vectors to identify vulnerabilities in web and mobile applications. The overall workshop consists of two sessions of one hour each: the first session will provide attendees with an understanding of the fundamentals of threats, attacks vulnerabilities and impact on the data assets. The second session will provide example on how to conduct threat modelling including analysis of the threats affecting a specific application software, the modelling of the attack vectors, the derivation of specific security requirements for the design of the web application during the SDLC and the derivation of test cases to simulate the behaviour of either a web or mobile application under specific types of attacks.
'''Part I: Threat Modelling Fundamentals'''
The course will introduce the audience to basic threat and risk terminology, explain the relationships between information security threats, attacks, vulnerabilities, assets and impact on these from technical and business impacts perspectives. We will cover different methodologies to analyze threats to and for the modeling of attacks and data, methods for analyze the application design to identify the design flaws, methods for deriving test cases using use and abuse cases and methods for assigning severity to the risk of the issues being identified.
'''Part II: Threat Modelling Process Walkthrough'''
A new threat modelling process for simulating attacks and analyse threats will be introduced and will be shown how can be used by security architects to identify design flaws, by pen testers to conduct specific types of tests and by information security managers to manage the risk of targeted cyber-attacks against web and mobile applications. A process walkthrough will cover with examples the various activities that need to be followed to conduct threat modelling during the SDLC such as to derive security requirements for the secure design of applications, data flow diagrams to analyse security controls in the application architecture, threat analysis to analyse specific types of threats to the application assets and attack modelling to derive attack vectors that along with use and abuse cases can be used to derive test cases for simulating real attacks against web and mobile applications. For information risk managers, we will show how threat modelling is a critical assessment that can help to identify countermeasures to mitigate the risk of sophisticated cyber-threats such as malware threats, data compromise threats and denial of service attack threats.
'''Bio: '''
Dr. Marco Morana volunteers for the OWASP organization as project leader of the application security guide for CISOs and is current member OWASP London chapter.
In his current professional role, Dr. Morana works as Senior VicePresident at large Financial Institution (FI) in London, UK where he is responsible for the architecture, risk analysis, and threat modelling program. Dr. Morana also leads strategic initiatives to identity new countermeasures for mitigating the risks of sophisticated cyber-threats targeting web and mobile applications.
In his distinguished 15+ years of career in application security, Dr. Morana held roles in different companies as security consultant, application security architect, professional trainer and program manager. As cyber-security technologist, Dr. Morana most important contributions to cyber-security is the invention of the first secure email plug-in using SMIME protocol that was patented for NASA in 1996.
Dr. Morana has been the advisor of the EU funded project on cyber-crime roadmap research CyberROAD and provide lectures yearly at the PhD Summer School on Computer Security & Privacy at University of Cagliari Italy.
Dr. Morana has been an active contributor to the OWASP organization since 2005 volunteering for the following projects: application security guide for CISOs , OWASP security testing guide , the OWASP Source Code Review Project and OWASP Security Analysis of Core J2EE Design Patterns Project and most recently the OWASP cyber-security startup accelerator initiative
His work on application and software security has been widely published on In-secure magazine,Secure Enterprise, ISSA Journal as well as DHS Software Security Assurance and the most recent work is Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Book published by Wiley in 2015.
Line 66: Line 31:
* [[2016-05-20-Bristol]]
* [[2016-03-17-Bristol]]
* [[2016-03-17-Bristol]]
* [[2016-01-21-Bristol]]
* [[2016-01-21-Bristol]]

Revision as of 18:25, 21 June 2016

OWASP Bristol, UK

Welcome to the Bristol, UK chapter homepage. Details of the chapter leaders are here Bristol_Chapter_Leaders.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

<paypal>Bristol UK</paypal> Please contact Bristol Chapter Leaders if you have further questions.

Chapter Sponsors

The following are the list of OWASP Corporate Members who have generously aligned themselves with the Bristol chapter, therefore contributing funds to our chapter:

Meeting Sponsors

The following is the list of organisations who have generously provided us with space for Bristol chapter meetings:

KPMG Just Eat

Chapter Meetings

We are looking for organizations to sponsor the Bristol chapter.

You can sponsor the chapter for one year at the following levels:

  • £2000 Platinum
  • £1000 Gold
  • £500 Silver

If you are interested in sponsoring the chapter then please get in touch with one of the Bristol Chapter Leaders.

Call for Presentations

OWASP Bristol (UK) Chapter Call For Presentation

As a speaker please review the OWASP speaker agreement

Stay in contact:

Meetup-logo-2x.png Join the list.png Follow-us-on-twitter.png