Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Monday, January 26 • 8:30am - 5:00pm
Training: Risk Centric Threat Modeling & Metrics in the SDL

Sign up or log in to save this to your schedule and see who's attending!

This training will walk through the 7 stages of the Process for Attack Simulation and Threat Analysis (PASTA), a risk centric approach to threat modeling that can be paralleled to SDL activities for developers, architects, system engineers, and (of course) security professionals. Students will begin by learning about threat modeling fundamentals that are agnostic to any methodology. Activities such as application deconstruction, data flow diagramming, enumeration exercises, use/ abuse case mapping will all be exemplified in the training. The key benefit will be in applying a risk centric approach to threat modeling via the PASTA approach which looks to identify the most likely attack vectors based upon harvesting threat intelligence sources and evaluating other factors such as deployments models, inherent industry threat agents/ motives, and overall application architecture. An outline of the training to be provided is included below:

I. Threat Modeling Intro & Primer
  A. Objectives & Approaches
  B. Threat Modeling Taxonomy & Syntax
  C. Tools & Techniques
  D. PASTA Methodology Overview
II. P1 – Define Business Objectives of Application Threat Model (Goal: Define Impact)
  A. Enumerate business objectives serving as application drivers
  B. Identify application data types (privacy implications)
  C. Identify regulatory impact/ landscape for application environment
  D. Identify SLAs associated with product app
III. P2. Define Technology Scope (Component Enum)
  A. Enum Application Frameworks leveraged by Framework
  B. Enum platform components (system OS, etc.)
  C. Enum actors running component processes
  D. Enum network services supporting various layers of application architecture
  E. Enum third party product (COTS) supporting application solution
  F. Enum data components across application layers
  G. Enum existing countermeasures (processes, technological controls, etc.)
IV. P3 – Application Decomposition (Call Tracing – Understanding calls amongst app components)
  A. Identify Use Cases using Components
  B. Map Call Flows amongst App Components
  C. Identify Trust Boundaries in the Application
  D. Perform CRUD exercises on back data storage sources (DBs, disk, client data storage)
  E. System level permissioning review
  F. Open and Integrated Auth Model Considerations
  G. Cloud API considerations
V. P4 – Threat Analysis
  A. Harvesting relevant threat intel sources (external sources)
  B. Harvesting threat data (internal sources)
  C. Probabilistic threat analysis
  D. Deployment models and architectural review of apps
  E. Identifying Threat Agents and Motives for targeted app
VI. P5 – Vuln Analysis
  A. Leveraging vulnerability assessments
  B. Using a strong Weakness/ Vulnerability Library (CVE/ CWE)
  C. Identifying & Correlating flaws in application model
  D. Identifying & Correlating system/ DB/ framework related vulnerabilities
VII. P6 – Attack Modeling
  A. Leveraging a valid attack library (CAPEC)
  B. Understanding Kill Chains and Attack Trees
  C. Assigning probabilities to attack branches (probabilistic analysis of attacks)
D. Exploit DB & Common Attack Patterns
VIII. P7 – Residual Risk Analysis & Countermeasure Development
  A. Inherent countermeasures
  B. Inherent countermeasure effectiveness
  C. Residual Risk Analysis
  D. Impact Analysis from Threats
  E. Prioritizing Countermeasures
IX. Threat Modeling Vignettes
  A. Threat Modeling Exercises in groups
X. Maturity Modeling & SDLC Integration
  A. OpenSAMM Use
  B. SDLC Metrics
  C. RACI for PASTA


Speakers
TU

Tony UV

With nearly 20 years of IT/ IS experience across three different continents, Tony has accumulated both hands on operational and management experience at a global level. Founder of VerSprite – a risk focused security consulting firm in Atlanta – Tony works with the global Fortune 500 organizations that are seeking something beyond compliance driven approaches to security challenges. Tony is an author of the only risk centric threat modeling... Read More →


Monday January 26, 2015 8:30am - 5:00pm
Annenberg Guest House