Threat modeling; A risk management approach

Revision as of 09:57, 21 July 2009 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Threat modeling, applied with a risk management approach answers questions about who will attack your system and how. If done correctly, it sets the context for answering questions about "how much security is enough". This talk will present advanced threat modeling step-wise using the Java EE platform and will focusing on authentication, authorization, and session management. Participants will learn how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. This talk will focus on teach security professionals software/application design techniques that will gain them greater insight into common web attacks (and why controls often applied simply don't affect the application's security), as well as giving models the ability to get beyond common attacks into those which, while high-impact, are often ignored.