[Owasp-ireland] Threat Modeling Fundamentals & New PASTA Process Training Workshop

Tue Oct 15 16:49:00 UTC 2013

OWASP Ireland have teamed up with ISACA Ireland to bring a Threat Modeling
Workshop to Dublin and Belfast on November 7th & 8th.

Event Details

Learn the fundamentals and the practice of using threat modeling to
identify design flaws in applications, derive and information security
requirements and manage the technical risks by implementing
countermeasures. ISACA Ireland and OWASP Dublin are delighted to be teaming
up together to bring this exciting free threat modeling training workshop
on the new PASTA™ threat modelling process. Members and non-members alike
are welcome to attend this free seminar.

Part I will provide attendees with an understanding of basic threat
modeling process and what threat modeling entitles to as application risk
analysis process. While Part II will introduce the basic stages of a new
application threat modelling process called PASTA™ (Process for Attack
Simulation and Threat Analysis) for conducting threat analysis, attack
modelling and risk management and get insights on how  threats can be
mitigated by design by incorporating security requirements in the SDLC for
the design of security controls well as how threat modelling can be used to
derive specific security and vulnerability test cases to test the
effectiveness of security measures in protecting the application from
specific attacks.

*Part I: Threat Modeling Fundamentals*

The course will introduce the audience to the NIST risk terminology and
explain the relationships between information security threats and
vulnerabilities and technical and business impacts. It will then introduce
the audience to formal methods to analyze threats to applications, map
threats to vulnerabilities, modelling of attacks, and analyze data and data
flows and risks in application architectures.  Next the trainer will cover
the basic concept of threat modelling in the context of threats against
applications and software and explain the basic workflow for executing
threat modelling process, such as OWASP Application Threat Modelling.
Examples of the formal methods for the categorization of threats such as
STRIDE and the analysis of risk using factors such as DREAD factors as well
as likelihood and impact will be discussed.

*Part II: Threat Modeling Process Walkthrough and Use Cases*

A new application threat modeling process called PASTA™ (Process for Attack
Simulation and Threat Analysis) will be introduced. This process is a risk
based threat modelling process and meant to be used both by security teams
and application development teams. The trainer will provide an overview of
the PASTA™ process main stages and the goals and then walk through
different examples use cases to show the various activities that can be
followed to execute the process. The trainer will show how to analyze
threats and of the how to model and simulate attacks to identify risks in
the application posed by flaws in the design of a typical web application.
A demo will be given of some threat modelling artifacts obtained from free
versions of commercial threat modelling tools such as theMicrosoft SDL
Threat Modelling
Tool<http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx>
and
myAppSecurity Inc., ThreatModeler™ <http://myappsecurity.com/> can help to
perform some of the stages of PASTA™ such as data flow diagramming,
application decomposition, security control enumeration, threat analysis
and risk mitigation.

There is no requirement to bring laptops but if people would like to do so
please come with theMicrosoft SDL Threat Modelling
Tool<http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx>
as
well as the myAppSecurity Inc., ThreatModeler™
<http://myappsecurity.com/> already
installed and ideally have a play / practice with them before attending.

*About the Instructor*

Marco Morana serves the OWASP organization as project lead. In his day job,
Marco is SVP at large Financial Institution in London, where he manages a
team of security architects responsible for information security
governance, risk and compliance of architectural significant programs
globally. Marco contributions to OWASP include the application threat
modelling methodology of the OWASP secure coding guide the introduction to
the security testing methodology and value the real risk section of the
OWASP security testing guide. As project reviewer, Marco contributed to
review the OWASP Source Code Review Project and OWASP Security Analysis of
Core J2EE Design Patterns Project.  Marco is a regular presenter on the
topics of software and application security at OWASP organized meetings and
conferences in USA and Italy as well as at CSI and Blackhat security
conferences. Marco's work on application and software security has been
published on In-secure magazine, Secure Enterprise, ISSA Journal and the
C/C++ Users journal as well as DHS Software Security Assurance and is
currently co-authoring a book published by Wiley on Application Threat
Modeling<http://www.amazon.co.uk/Application-Threat-Modeling-Marco-Morana/dp/0470500964>
and
theApplication Security Guide for
CISOs<https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs>
book
published by OWASP.

*Agenda*

3.30 pm Registration & Networking

4.00 pm - Part I: Threat Modelling Fundamentals

5.00pm - Break

5.15 pm - Part II: Threat Modelling Process Walkthrough and Use Cases

6.30 pm - Questions followed by networking

*Target audience*

information security officers, risk managers, software
developers/application architects, security compliance auditors,
consultants members & non-members.

Registration for the Dublin event - Friday November 8th, 15:30 - 19:00:
http://www.eventbrite.com/event/8804337009/eorg

Registration for the Belfast event - Thursday November 7th, 15:30 - 19:00
http://www.eventbrite.com/event/8803841527/eorg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20131015/bae5524e/attachment.html>