December 20, 2011 at 6:30 PM

Advanced Threat Modeling
by John Steven


Abstract

How will attackers break your web application? How much security testing is enough? Do I have to worry about insiders? Threat modeling, applied with a risk management approach can answer both of these questions if done correctly. This talk will present advanced threat modeling step-wise through examples and exercises using the Java EE platform and focusing on authentication, authorization, and session management. Participants will learn, through interactive exercise on real software architectures, how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. Participants will then engage in secure design activities, learning how to use the threat model to specify compensating controls for specified attack vectors. Finally, we'll discuss how the model can drive security testing and validate an application resists specified attack.

 

About the Speaker

John Steven

John Steven is the Internal Chief Technology Officer at Cigital, with over a decade of hands-on experience in software security. Mr. Steven’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, Mr. Steven has provided strategic direction as a trusted adviser to many multinational corporations. Mr. Steven’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. Mr. Steven holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.

 

 

Please RSVP if you plan to attend.
Non-members are welcome without charge!  Light refreshments will be served.


Tuesday, December 20, 2011 6:30 PM

Government Printing Office
Room A138
732 N. Capitol St.
Washington, DC, 20401

Click here for details