OWASP AppSec India Conference 2008 Advanced Threat Modeling

Jump to: navigation, search

Advanced Threat Modeling

To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities.

Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.

Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate.

Session Coverage
The session will cover the following topics
Introduction to Threat Modeling
Threat Modeling Process
Tools, Techniques and Templates
Demos and Hands-On Exercises
and more ...

Who should Attend?
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.

Come and Win exciting Prizes (possibly an iPod)
First Prize - A FREE voucher to the official (ISC)2 CISSP® self-assessments (approx. $300 value) (or)
Second Prize - A FREE voucher to the official (ISC)2 SSCP® self-assessments (approx. $110 value)
Third Prize - An iPod Shuffle

(ISC)2 self-assessments are made possible due to courtesy of Express Certifications
iPod is a registered trademark of Apple Inc.

About the Instructor

Mano Paul

Mano Paul (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education.

Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education.

Mano is (ISC)2's Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university.

Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.

Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.