OWASP AppSec India Conference 2008 Advanced Threat Modeling
Advanced Threat Modeling
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L [email protected] or the enemy within (insider) could take advantage of the vulnerabilities.
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.
Mano Paul (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education.
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education.
Mano is (ISC)2's Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university.
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.