Making your own Web Security P.A.S.T.A - BSidesATL | Tony UcedaVelez
HTML-код
- Опубликовано: 9 сен 2024
- Process for Attack Simulation & Threat Analysis is an asset-centric (or risk-based) threat modeling methodology that connects the security dots within a given SDLC, those dots being how to discover vulns, attack them, apply the right countermeasures, and more. Today’s application assessment options are both misunderstood and misapplied when assessing web applications or any application environment. Oftentimes, traditional security tools and testing methods seem to compete with one another instead of supporting a common goal, especially when trying to foster build security in’ doctrine. This concept of building security has been spoken of for some time and no real traction has taken place amongst various adopters, even with the information and support around frameworks such as the Software Assurance Maturity Model (SAMM) and Building Security-In Maturity Model (BSIMM), adoption is slower than anticipated.
The outlined process will provide a way in which BSIMM or SAMM can be sustained, via an anchored and repeatable threat modeling process. Audience members will be introduced to the P.A.S.T.A. process, and go through key exercises related to application decomposition including but not limited to data flow diagramming, attack tree build-outs, and countermeasure development.
In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta (2009). He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium webcast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He’s currently finalizing a book with Wiley Life Sciences on the Process for Attack Simulation and Threat Analysis due out in 2012. Tony currently leads an Atlanta-based security consulting firm that provides a hybrid approach to InfoSec by maintaining strong duality and expertise across both AppSec and GRC. He has consulted numerous global Fortune 500s organizations in both the private and public sectors across a myriad of security disciplines ranging from security architecture and design to secure application development.
Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He also serves on the OWASP Global Membership Board and regularly provides talks to other chapters nationwide, primarily on the topic of application threat modeling.
// FIND VERSPRITE’S CYBERSECURITY TEAM ONLINE //
✦ VerSprite: versprite.com/
✦ LinkedIn: / versprite-llc
✦ Twitter: / versprite
✦ RUclips: / versprite
// ABOUT VERSPRITE //
VerSprite is a leader in risk-based cybersecurity services and PASTA threat modeling, enabling businesses to improve the protection of critical assets, ensure compliance, and manage risk. Our mission is to help you understand and improve your organization’s cybersecurity posture. With cyberattacks increasing in number and sophistication daily, it is important to protect your organization’s assets, protect your clients, and maintain the same, great reputation and trust you have worked hard to build. We believe that an integrated approach will result in better and more cost-effective security practices and better business outcomes overall.
#websecurity #cybersecurity #VerSprite
