Learn the fundamentals and the practice of using threat modeling to identify design flaws in applications, derive and information security requirements and manage the technical risks by implementing countermeasures. ISACA Ireland and OWASP Dublin are delighted to be teaming up together to bring this exciting free threat modeling training workshop on the new PASTA™ threat modelling process. Members and non-members alike are welcome to attend this free seminar.

Part I will provide attendees with an understanding of basic threat modeling process and what threat modeling entitles to as application risk analysis process. While Part II will introduce the basic stages of a new application threat modelling process called PASTA™ (Process for Attack Simulation and Threat Analysis) for conducting threat analysis, attack modelling and risk management and get insights on how threats can be mitigated by design by incorporating security requirements in the SDLC for the design of security controls well as how threat modelling can be used to derive specific security and vulnerability test cases to test the effectiveness of security measures in protecting the application from specific attacks.

Part I: Threat Modeling Fundamentals

The course will introduce the audience to the NIST risk terminology and explain the relationships between information security threats and vulnerabilities and technical and business impacts. It will then introduce the audience to formal methods to analyze threats to applications, map threats to vulnerabilities, modelling of attacks, and analyze data and data flows and risks in application architectures. Next the trainer will cover the basic concept of threat modelling in the context of threats against applications and software and explain the basic workflow for executing threat modelling process, such as OWASP Application Threat Modelling. Examples of the formal methods for the categorization of threats such as STRIDE and the analysis of risk using factors such as DREAD factors as well as likelihood and impact will be discussed.

Part II: Threat Modeling Process Walkthrough and Use Cases

A new application threat modeling process called PASTA™ (Process for Attack Simulation and Threat Analysis) will be introduced. This process is a risk based threat modelling process and meant to be used both by security teams and application development teams. The trainer will provide an overview of the PASTA™ process main stages and the goals and then walk through different examples use cases to show the various activities that can be followed to execute the process. The trainer will show how to analyze threats and of the how to model and simulate attacks to identify risks in the application posed by flaws in the design of a typical web application. A demo will be given of some threat modelling artifacts obtained from free versions of commercial threat modelling tools such as the Microsoft SDL Threat Modelling Tool and myAppSecurity Inc., ThreatModeler™ can help to perform some of the stages of PASTA™ such as data flow diagramming, application decomposition, security control enumeration, threat analysis and risk mitigation.

There is no requirement to bring laptops as trainer will touch upon using each tool on projector but if people would like follow along on their own machines to get the most out of the event please install the following tools before the session:

• Threat Modeler-PASTA http://myappsecurity.com/
• SDL Threat Modeling Tool http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
• Threat Analysis and Modeling Tool TAM http://archive.msdn.microsoft.com/tam
• Practical Threat Analysis http://www.ptatechnologies.com/ProductsFrameset.htm
• Trike http://octotrike.org/tools.shtml

About the Instructor

Marco Morana serves the OWASP organization as project lead. In his day job, Marco is SVP at large Financial Institution in London, where he manages a team of security architects responsible for information security governance, risk and compliance of architectural significant programs globally. Marco contributions to OWASP include the application threat modelling methodology of the OWASP secure coding guide the introduction to the security testing methodology and value the real risk section of the OWASP security testing guide. As project reviewer, Marco contributed to review the OWASP Source Code Review Project and OWASP Security Analysis of Core J2EE Design Patterns Project. Marco is a regular presenter on the topics of software and application security at OWASP organized meetings and conferences in USA and Italy as well as at CSI and Blackhat security conferences. Marco's work on application and software security has been published on In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal as well as DHS Software Security Assurance and is currently co-authoring a book published by Wiley on Application Threat Modeling and the Application Security Guide for CISOs book published by OWASP.

Agenda

3.30 pm Registration & Networking

4.00 pm - Part I: Threat Modelling Fundamentals

5.00pm - Break

5.15 pm - Part II: Threat Modelling Process Walkthrough and Use Cases

6.30 pm - Questions followed by networking

Target audience

information security officers, risk managers, software developers/application architects, security compliance auditors, consultants, members & non-members.

Click here to book to attend Dublin workshop.