Los Angeles/2009 Meetings/September 16

Topic: The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in Mitigating Web Application Security Risks

Speaker: Marco Morana

Marco Morana serves as one of the leaders of OWASP (Open Web Application Security Project) organization where he is actively involved in evangelize on web application security through presentations at local chapter meetings in USA as well as internationally. Marco has recently been awarded a contract from Wiley Publishing to co-author a book on Application Threat Modeling.

Besides being the OWASP Cincinnati chapter lead, Marco is also active contributor to OWASP projects such as the application threat modeling methodology for secure coding guideline and the security testing guide (ver. 2 and 3). Besides contributing to OWASP, Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the organization web application security standards, management of application security assessments during the SDLC, threat-fraud analysis and training of software developers, project managers and architects on different topics related to application security.

In the past, Marco served as senior security consultant and independent consultant where his responsibilities included providing software security services for several clients in the financial and banking, telecommunications and commercial sector industry. Besides security consulting, Marco had a career as technologist in the security industry where he contributed to the design business critical security products currently being used by several FORTUNE 500 companies as well by the US Government.

Marco work on software security is referred in the 2007 State Of the Art report by the Information Assurance Technology Analysis Center (IATAC). Marco received the NASA’s Space Act Award in 1999 for the patenting the S/MIME SEP (Secure Email Plug-in) application.

Marco research work on application and software security is widely published on several magazines such as In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal. Marco’s ideas and strategies for writing secure software are posted on his blog: http://securesoftware.blogspot.com.

Speaker: Tony UcedaVelez

Tony UcedaVelez has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a terminology that describes the design and development of secure processes and controls working symbiotically to a unique business workflow. Tony currenlty serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S on the topic of application security and security process engineering. His diverse background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk.

In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta. He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He is currently finalizing a Wiley publishing book on Application Threat Modeling with Marco Morana.

Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments. His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits. He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to causal factors for business. Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments.

Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He also has developed a case study program for the Atlanta chapter in order to develop case studies with local Atlanta companies who are seeking to apply application threat modeling techniques within the SDLC and/ or incorporate the many OWASP produced tools and frameworks. Tony can be reached at [email protected] or [email protected].

Abstract: The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks

On August 5th of 2009, Federal prosecutors on Monday charged Albert Gonzales with the largest case of credit and debit card data theft ever in the United States: 130 million credit cards numbers by hacking into the systems of Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers. Using a SQL-injection attack, the hackers installed malware on Hannaford Brothers. Hannaford was PCI compliant at the time they were compromise that lets question the validity of regulatory compliance frameworks, and specifically PCI standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze how status quo security standards, such as PCI-DSS, as well as other policies, standards, and guidelines truly affect security risk mitigation efforts against cybercrime based threats. These traditional efforts will be compared to threat modeling workflows in order to demonstrate how real risk is mitigated under each scenario.

Cases for financial fraud will be anonymously presented to create a business case for application threat modeling as a viable methodology to drive improved application design and security risk mitigation. Threat modeling concepts will be elaborated in order to prove how application architecture walkthroughs via threat modeling improve the mitigation of cybercrime threats. Attacker motives and goals will be presented and incorporated into attack trees and it will show how attack libraries can be used to effectively identify application vulnerabilities and devise countermeasures in web application.

From the risk analysis perspective, several attacks will be considered and highlighted, particularly attacks that represent a systemic impact to an organization or government (such as for example a distributed denial of service).

Through the presentation of threat modeling scenarios, analyses and correlations will be drawn from the represented model(s) to attack patterns, associated and discovered security vulnerabilities, data sources, application topologies, and possible roles and permissions associated with the application environment. The purpose of the presentation is to demonstrate how application threat modeling can be used as part of a nouveau age form of security risk mitigation and overall application security. Data flow diagrams and application walkthroughs will enable audience members to witness how application threat modeling is an evolved form of security process engineering for improved application design and overall application security. The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud.

From the point of view of current and future cybercrime risk mitigation, several different strategies for application threat modeling will be discussed as related to securing both the web application web and critical financial infrastructures, such as ATMs. Finally some emphasis will be given to countermeasures that provide for incident response, intelligence and forensics capabilities.

Presentation outline, defining all topics that will be covered:

• Status quo of regulatory compliance in mitigating risk
• Threat modeling techniques for cybercrime threats
• Attack tree analysis for attack tree vectors
• Threat modeling for multi-channel fraud threat scenarios
• Cyber crime threats and application countermeasures via threat modeling
• Example of mitigation strategies for cybercrime and application of defense in depth for web applications

Any supporting research/tools:

• Threat models and attack trees
• Threat model are produced using the Microsoft™ threat modeling tool
• Public available cybercrime data will be presented and correlated